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ABSTRACT 

Many of the well-known properties of concurrent 
programs can be classified as Safety Properties or 
Liveness Properties. In this thesis, several formal 
methods to derive Safety Properties and Liveness Properties 
of concurrent programs have been studied,' 

Various exarrple programs have been treated using 
these methods, including an On— the-fly Garbage Collector 
and the Alternating-Bit Protocol. 

Finally, a brief comparison is made, of the methods 


studied 



INTRODUCTION 


When a program is viewed as an abstract object, it is 

w 

of interest to know Whether the program possesses certain 
desirable properties ^ which could be: 

Partial Correctness-no execution of the program halts 
with a wrong result. 

Term in at ion- for a specified input data set, every 
execution of the program halts. 

Mutual Exclusion- in a multiprocess program, two critical 
sections are not accessed together* 

Deadlock Freeness-no execution of the program enters a 
set of states from which further progress is impossible. 

First-come First— served — if process p requests service 
before process q, then process q cannot be served before process p. 
Several formal methods have been suggested to derive 
such properties of programs. In this thesis, we have looked 
into the methods to derive safety and liveness properties of 
concurrent programs, 

A concurrent program is a program which uses cobegin 
statements, 

A cobegin statement, cobegin Sj_liS2;l coend, 

^signifies the no nde term inis tic interleaving of the atomic 
actions (indivisible actions) of the statements S,,S^-,,.,,S . 

1 Z 

The immediate constituents of a cobegin statement (i,e, Sj^,.,,,S^) 
are also called 'processes'. 
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Is there any difference between a sequential program 
and a concurrent program? That is# is there any reason to 
consider programs which use cobegin statements (i*e, concurrent 
programs) separately from those that do not (i*e, sequential 
programs)? 

There is indeed one difference. 

The concept of atomic actions (indivisible actions) is 
of no significance for a sequential program, but is of irrportance 
for a concurrent program. In so far as a sequential program is 
characterised cortpletely by its input-output beh*vtour, it is of 
no consequence whether the sequential program is a single atomic 
action, or is coirposed of many atomic actions. The grain of 
indivisible actions is of no importance. 

For exanple the programs 
Program A: <^x;=2) 

Program Bj <^x:=1; x:=X4-1'> 

Program C: <^x:=l )7 <fx:=x+l} 

are all equivalent, as far as input-output behaviour is considered 

( Note - Angle brackets are used to mark off atomic actions) , 

c^aractevi’s ed 

Even if a concurrent program is .^^completely by its input- 
output behaviour, the grain of the indivisible actions of the 
processes, is of consequence. 

For example, consider 

Program A: Cobegin «(x: =2) fj ^x:=2)> coend 
Program B: Cobegin <(x;=2) If <^x:=l; xi =x+l/’' coend 
Cobegin ^x: =2) !1 {xi =x+l'^ coett^l 


Program C; 




Program A and B are equivalent. 

However program C differs from A, 

Program A terminates with |X=2| , Program C terminates 
with {x=2 V 3{=3 j. 

(The execution sequence ^x:=l) ^x:=2) <(x:=x+l) for program 
C, gives x=3 on termination). 

Safety properties of a program state that nothing bad ever 
happens. Some examples are - partial correctness, mutual 
exclusion and deadlocJc-freeness. The methods of Manna-Pnueli 
LmpJ , Owicki-Gries Lamport [_LAM3j, for deriving safety 

properties, are treated in the chapter on safety properties. 
Liveness properties state that something does happen. 

Some examples are termination, starvation-freeness - i,e, every 
request for a non-shareable resource is granted, and (in a 
protocol system) message reception. The chapter on Liveness 
properties surveys the methods of Owicki-Lamport fOLj, Manna- 
Pnueli L.MpJ and Lamport |jLAMl|, , 

The next chapter examines two welltknown exairples in 
the Manna-Pnueli formalism. 

The on-the-fly Garbage Collector fjDIJ2l , is a two 
process program to collect garbage in a list processing system. 
The fine grain of interleaving makes the correctness proof quite 
involved , 

The Alternating Bit protocol system [sunJ , is used to 
transmit messages reliably through a medium that may lose 
messages. In this system, process communication is by message 
passing, unlike process communication by central shared n^mory in 
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the other examples. The correctness proof is obtained by 
modelling the distributed system as one with central shared meraory- 
that is^ the transmission medium is modelled as a queue, 

We note in passing ^that there ore other methods, not considered 
in this thesiSjto reason about properties of concurrent 
programs - e.g, ; KSL] , [lip^ , Llam 4 j. Also that, prograins posses 
properties which do not fall into the safety and liveness 
categories - e.g. 

- Equivalence - one program is equivalent to another, 

-An assertion, P, might possibly become true for a program 
execution. Most of the proof methods that we consider in this 
thesis use the temporal logic formalism. We end this chapter 
with a very brief note on temporal logic, and how program 
properties are expressed in this formalism, 

A brief description of the Linear Time Terrporal Logic, 
which is used in concurrent program verification, follows. 

Further discussion of Temporal Logic (in the context of concurrent 
programs) may be found in [;lam 2] , jPNU ] , [bmp 1 , [gpssJ, • 

This description is from rLAM2l* 

The well-formed formulas of Temporal Logic are called 
temporal assertions . The set of temporal assertions is obtained 
in the obvious way from a set of atomic symbols - called atomic 
predicates - together with the usual logic operators A , V , 
and n , and the unary temporal operators ' Q ' (henceforth) 
aDd 'SJ * (eventually), Tenporal assertions that do not contain 
either of the tenoral operators, O and V , are called 
(immediate) assertion# or predicates. 
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A predicate P represents a declarative statement about 
the present state of the system, i.e, P is true now. The 
terrporal assertion Q P represents the statement that P is true 
now and will always be true in the future. The temporal 
assertion Vp represents the statement that P is true now or will 
become true some time in the future. 

M odels ; The semantics of Temporal Logic is defined by 
describing how temporal assertions are to be interpreted as 
statements about an underlying model, 

A model M is a pair (S,'^ ) where S is a set of states 
and is a set of sequences of states and satisfies 

the Tail closure property. 

Let cr = S^/ be a sequence of states. 

Then is defined to be 

Q-+ A if length of (j~ is more than 1 then 
S else 0 , 

i.e, the sequence obtained by deleting the first 
element of CT" , 

Extending this, is defined to be 

(T^ = where cr° 

i.e. the sequence obtained by deleting the first i 
elements of ^ • 

The set of sequences, H , must satisfy the following condition. 
Tail Closure: If (y ^ JZ then X- • 
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A state* s6S is defined to t)e a truth valued function 
on the set of atomic predicat esi .1 

i.e. State s: ^ atomic, predicates} |^True, ‘False 
In the context of programs/ the model M is related to 
the program as follows. 

The set of states, S, is taken to be the set of all 
conceivable states of the program. Ordinarily, a program state 
is taken to be any combination of values of program variables 
and program control locations. Such a program state does not 
differ from the definition of a state given above. Eg, for a 
program, with a variable y, which has the value 1 in statq s, 
s('y)^O') = true, s ('y>l') = false, 3('y>2’) = false 
and so on for all the atomic predicates. 

The set YL represents all "possible execution sequences" 
of the program, starting in any conceivable state. Thus a 
sequence tr" = s^, S^, S 2 #.,,in Y represents an execution 

sequence that starts in state S^, performs the firsf program 
step to reach state performs the next program step to reach 
state S 2 ..«.etc. All sequences in 2- are infinite - for a finite 
execution sequence this is ensured by infinitely repeating the 
last state. That is, if the execution sequence terminates in 
n steps, in state then the corresponding sequence cr 6 X. 
has = S^, for all m )’ n. 

Intuitively, in a sequence [cT == S^, S-,S 2 ...,^, S. 
represents the program state at the i instant. 

The set of all "possible execution sequences" of a program 

• ' i. ' ' ■ ' ' 

is defined as the set of all sequences of conceivable program 
s tates , ^ ^1 ^ ^ 2 ^*^*** ^ uch that 
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( i) 

Next is the 'next state* relation on pairs of states# 

where s. Next s# means that starting in state s,. and 

' 1 

executing one program step can put the program into state 
Sj. For a nondeterministlc program there may be several 
possible next states Sj. 

(ii) Fairness 

No execution sequence may have an action forever enabled; 
without ever occuring. 

An action is enabled if control resides at it and its 
enabling predicate is true • ' 

The set of all possible execution sequences of a program 
does posses the Tail Closure property. 

Tail closure# for program execution sequences implies 
that the set of all possible computations from a given state 
is completely determined by the state itself and not by 
the history of the computation in reaching that state. 

Let ere £ be any sequence S2#.«i. 

The linear Time interpretation of temporal assertion 
P in the model M = (S#E. ) is the mapping# 

r"" r 

Ps / True, False j' defined inductively as follows#' 

- if P is an atomic predicate# then 

P(cr) == 

- if P is an immediate assertion (predicate) then its 
interpretation is defined in the obvious way, in terms of the 
interpretations of its constituents 
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Cq V r1 (0") 
|_’q a r J icr) 
[-1QJ (^) 


= Q(<r) V R (cr) 
= Q(ir) A R( e- ) 
= 10(6" ) 


- if P is any temporal assertion, the interpretation 
of Li p and V P is defined as follows. 


Up ) ='\rn>^o : p(r^) 

VP(o") 

A temporal assertion is M-valid for a model M=(s,]^) 

r" 

in the logic of linear time [_i*e* M 
every ^ 

In the linear time temporal logic, V is equivalent to 
iD"T, so that only the single temporal operator HI need be 
considered. The operator Q cannot express certain inportant 
properties of concurrent programs-such as First Come First 
Served, 


l=p] 


if P(^ ) is true for 


"Generalized Tertporal Logic" uses the dyadic Q 
operator instead of mna.dic^ The generalized tenporal 
assertion rQp represents the statement that P is true "as 
long as" the temporal assertion R remains true. 

Formally, the meaning of R Q p is defined by extending 
the interpretation 


R D P (sT) 


"V” n)^ 0:^i € [o,l,...,n} : R(cr^)} , 

Generalized temporal logic is as expressive as ordinary 
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temporal logic follows from, 

true Dp = Q P* 

Some common program properties, expressed as tenporal 
assertions follow - (from i_GPSSj)* 

( i) Partial correctness, for a statement S with single-entry 
point 1 q and .single exit point 1 ^, ( i.e,' 5 p;' s 1 q}') , 

at 1 A P n C at 1^ Q) , 
o L-i 0 

The post assertion Q may involve initial data values. 
Supposing y to be the vector of all data variables, 

at IqA y = y^A . i^Cy^) r> □ ( at 1 ^ ^ * 

( ii) Total correctness for a single-entry, single-exit 
statement, 

at l^.A y=y^/\ PCy^) i:>VjJt 1 ^ /\. Q(y^, y)} 

-being at 1^ with P true and initial data values equal 
to y^ is guaranteed to lead to 1 ^ with Q true, 

( iii) A request ( for spme resource) is indicated by P being true* 
The response to this request is indicated by Q being true. The 
response may free the requester from being frozen in the requesting 
state - i.e. after the response, P need not be true. 

Three kinds of response are possible 

C a) Response to insistence 

□ p =5 V O. 
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This does not say that P must be true forever to get O, 
response. It says that it is impossible for P to be forever true, 
without getting a response 

i,e, it is equivalent to ■'ID(PA'^Q), 

P may have to be true for an unbounded amount of time, 
to obtain a response, 

(b) Response to persistence 

□ V P y Q 

- P need not be true continuously, but it may have to 

I. 

be true infinitely often, 

C c) Response to impulse, 

P -VQ. 

( d) Absence of unsolicited response/C^ procedeti 

y Q r;i ( 1 p □ 1 Q) A X7 p 

-If Q occurs at all, it is preceded by P, The consequent 
says that y Q holds "as long as" P is not true and P does 
become true at some time. This is the general way of e 3 q>resslny 
"some P precedes some Q", 



. CHAPTER 1 

METHODS FOR DERIVING SAFETY PROPERTIES 

Safety properties state that nothing bad ever happens, 
or alternatively, whatever happens is good. Safety properties, 
e:q)ressed as tenporal assertions, have three general forms - 

(i) Init o O I ‘’invariant assertions j 
Typical examples 

Partial Correctness, 

Mutual Exclusion. 

(ii) I/\a Rn>D I 

- Once I becomes true, it remains tjrue f or© v»r, provided 
R is forever true. 

Such safety properties are very useful in deriving 
liveness properties. In this context, I is some 
desirable condition for progress and 0 R states that 
no progress ever occurs. Thus from the above assertion, 
if the desirable condition ever becomes true and progress 
never occurs, then the desirable condition remains 
forever true. The obvious contradiction arg'ument may 
then be used. The above assertion is equivalent to. 

It? O I V y-jR 

(iii) I o R □ I 

This is a stronger version of (ii) . It uses the dyadic 
D operator and says that if I ever becomes true, then 
it remains true "as long as" R remains true. 



Example 
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First Come First Served: If process p requests 
service before process q, then process q cannot 
be served before process p. 

Let pFIRST £ p is waiting for service and q is neither 
waiting for service nor being served. 
pFIRST pWAITING O iCqSERVED). 

Three methods of deriving safety properties due tO/ 

iMP]Z. Manna and A.Pnueli^ COG] S.Owicki and D.G,;.ries, 

ClAMSJ L.Larrport/ are surveyed in this Chapter. 

The first method uses an operational model to characterise 

ort 

programs. The last two methods are axiomatic and based^the Hoare 
Logic for sequential programs. 

1.1 Manha-Pnueli Method 

In this method every elementary statement is taken to 
represent a state to state transition. A concurrent program 
(in this method) has a fixed number of processes. Each process 
is a directed graphs whose nodes are called control locations 
and arcs are called transitions. Each transition is an 
indivisible action. Each transition has an enabling predicate 
c^ z which m^ISt be true for the transition to occur, and a 
location transformation function r^ , as well as a variable 
updating function 



A concurrent program has the form 


(y: = fo (X))[P3^ liP^ii ... 

The vector X = (X^, X 2 /.../X^) contains the input 

data.- The vector y = (y^^ "^2 * ‘ vector of shared 

program variables. In fact/ all program variables are shared, 

there are no variables local to a process. P£/ for 1 i4 hi, 

are the processes which constitute the program. There is also a 

vector = ( n^/ ^2'' * * * ^'^m^ location variables. Each 

location variable ^7T^, is the program counter for process 

At any instant, the value of each TT. is the name of some node in 

fed 

the direct^ graph which is process • As control moves from 
node to node of process the location variable is updated 
accordingly . 

A transition in a process Pj has the form, 

G^Cy) — ^[y: = 

1 and 1' are the names of the source and destination nodes of 

transition cC , The transition is enabled only if c^ (y) is true 

and /T. = 1, f , is a function body which describes the change 
J ^ 

in y as a result of the transition That is, f^ is an 

n-tuple of expressions, and each ejqjression may depend on y. 

For example (Assume n=5) 

1 : if yi + y 2 * y 3 > O then y 3 , y^: = 

1 ‘ ; 

represents thd transition 
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/i Ji *^ 2 * y3>° — ^[y== - 


The location transformation function ^ for transiti-" 
c/ in process Pj^ updates the value of location variable 'Sjto 
1' , but has no effect on 


Hence r i i \ -i t < ? ^ ^ • • * * ■ ^ ' 


TT 


) iK* 


1 ' >1' ' j'-**-' m' = ^'l' 

In sum, the transition *<.. has the form 

at 1 A c^(y) 7? ; y) :=(r , (") ;f^(y) )L 

o ^ 

■where at 1^ 3j, l<'j^m : JJ ^ ?= 1, i.e, 'at 1* is true if 

some process is presently at 1. 

MP treats only programs with a fixed nxrnber of 
processes, so that, a program with nested cobegins cannot be 
examined by this method. 

For exarrple, 

if < y]_) A (72) s fi, 

where <yi)A(y2) = Cobegin 

Fetch Ij Fetch (y2) 

Coend 

{value of y^^ A Value of y2/ 
cannot be represented in MP • 

However, any sequential construct wi'th elementary 
statement or finer grain of interleaving, can be represented by 
transitions, 

eg. 1 q : While <B) do ; 482 > od 

^ 1 : * 
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would become 






;ior 


True — ^[sj True 

hcj — 


P True—^CsKijO 

rJA 




-jB— ^[SKIPj 


Assertions are defined over program variables and 
location variables. 

An assertion is an invariant for a program, according 
to if it is maintained by every transition and is 

initially true. For a program with input data satisfying the 
assertion 0 (X), an assertion Q (f\j y) may be derived to be 
an invariant, by the following principle - 
Invariance Principle, 

Let Q ( -jff y) be a state property of a program, 

(Note - Q has no terrporal operators ) , such that 

A; Q is initially true, 

I: at 1 q^ (X):pQ (I^; f^ (X)) 

^ 2 in 

holds, where 1 q/»««#1q) is the vector of initial 

locations. 


B: Q is inductive for the program. That is, Q is preserved by 
every transition. 

The verification Condition 
: (at i Ac^(y)A Q( m ?))::::> Q (r^(7r); (y)) 

holds for every transition oC in the program. 


Jr at Iq ^V (X)r:>DQ (^; y) 
may be deduced. 


Then 
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Exanple : 

Semaphore variable Rule. 

A semaphore variable/ say Yi is initialised to a non-zero value# 
and can then be accessed only through Wait and Signal Operations. 
Derive: t= y '•?" 0 O Y // 0 

Initial: y )/ 0 zd y '// O (because y is initially 

non-negative) 

Inductive: The assertion Q = y 0 must be shown to be 
inductive • 

Wait Operation: 

y >0 y. . 

■ji. is V.' is y>0. is J5-1* 


; y >/ 0 A y ;• 0 I? y— 1 ^0, which is true. 

Signal Operation: 

True — |y: =y+lj 

is ^ — -r } c xs 'true'/ 


f ^ is y+1 . 


V, : True Ay}/0 ^y+1/0/ which is true. 

Since y is not affected by any other transition/ i.e. 
f ^ (y) = y for all other transitions «(■/ Q is inductive. 

From this# ^ y 0r?Qy )/ 0. 

The initial value of y must be non- negative# so that 


|=Dy 7/ 0, 


1.1.1 Producer-Consumer Exanple 

The producer-consumer exan^jle is a well known exanple 
in concxirrent programming. It will be examined using the 
three methods of CogJ# [lams] in this chapter. The [MPi# 

IogJ, proofs are from the original papers. 
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A producer conputes values in seqvience and passes them 
on to a consumer, which needs the values, in the same sequence, 
for its own conputations , The two processes operate at roughly 
the same speeds, so it is profitable to interpose a buffer 
between them, to smooth out fluctuations of the individual 
process speeds. The buffer has a maximum capacity for N values. 
The producer repeatedly conputes a value and puts it in the 
buffer, and the consumer repeatedly fetches a value from the 
buffer and does its own conputation. 

Program Producer-Consximer ^ 
b; = NIL, S:=l, Ce:= N, cf : = 0 
Producer; Consumer; 


1q : Conpute y^ 

"‘o' 

Wait (cf) 

1^ : Wait (ce) 

m^: 

Wait (s) 

I 2 J Wait (s) 

3 

to 

y 2 := Head (b) 

^3 ' ^1'=^ ® ^1 

m 3 : 

t 2 ;= Tail (b) 

I 4 5 

m^: 

b: = tj 

1- : Signal (s) 

D 

m^: 

Signal (s) 


: Signal (cf) m^^: Signal (ce) 

1^ ; go to 1 q Conpute using y^ 

nig: go to m^ 

Three semaphore variables s, cf, ce and three sequence 


variables b, t^^, t 2 are used 
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s is a mutual exclusion semaphore to provide exclusive access 
to locations ( 1 ^# l^# 1 ^) and (.^ 2 * for the producer 

and the consumer/ respectively. The semaphore ce (count of 
empties) counts the number of free slots in buffer b. The 
semaphore cf (count of fulls) counts the nximber of items 
currently in the buffer b. 

The permissible operations on a sequence variable b, 
are Head (b) , which gives the first element of the sequence. 
Tail (b) / which gives the rest of the sequence, and b @ y which 
extends the sequence by appending value y. The length of a 
sequence variable, b, is denoted by lb| . A sequence variable 
can be assigned the value of another sequence variable. 

The initial condition, Init is 

Init £" at 1 q /\at A (b=NIL) A (S=l)/l(ce=N) A (cf=0) 

From the semaphore variable rule follows 

P n((S),. 0 ) A (cfAO) A (ce);. 0 )) 

Exclusive access to the critical sections 

L = I 3 / 1^/ Ig and M = m^/m^/m^/m^ may be 

expressed as D ^ A at M), or as 

j= [J (at L + at M^l) (here, truth values are numerically 

interpreted/ with true=l/ false= 0 ). 

This can be proved by showing the invariance of, 

Ql; at L + at M + S, = 1. 

Initially at lQ=at m^ = 1 which implies that at 
L = at M = 0. Also S=l. Hence, Q1 is initially true. 


/ 



Next Ql must be shown to be inductive, i.e, preserved 
by every transition of the program. This can be done by checking 
all transitions that modify the value of s or modify at L, at M . 
The only such transitions are those at l^/l^# m^,m^ (i.e,, 

^ 5 "^ ^6' ’^l ' ^2' ^5 *^6^* Consider the transition at I 2 - it 

decreases s by 1, but changes at L from O to 1, thus preserving 
Ql» similarly the transition at preserves Ql, because it 
increases s by 1 and also changes at M from 1 to 0, The other 
two transitions also preserve Ql, so that, by the Invariance 
Principle 

^ □ Ql . 

(implicitly assuming Init) 


From QQI and ‘ D S ^ 5 , 0 (sem^hore variable rule) follows 
that at L and at M can never be true together. 

Proper buffer management can be shown by deriving 

1=0 0 ^ 1 b( < N, 

Two invariant, assertions are required, 

Q2 ; cf + ce + at 1^ , + at m- . = N 

Q3 ; cf + at Ic/l^- + at m. . = l b! . 

-> fc> 1 . .4 

(Note at 1^ ^ or at 1- 1, stands for at 

and similarly at m^ ^ or at m^.,m^ stands for at {m^^, . . , ,m^} ). 
Q2 is true initially because cf =0, ce = N and both at 1- ^ - 

4b • ♦vD 

and at m-, , are 0 , 

The only transitions affecting Q2 are those at 1^,1^, 
m^/m^. Again - similarly to Ql — these transitions preserve 
Q2. Hence, 
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U Q 2 (iirplicitly assund.ng Init) 

Q3 is initially true because ib! = 0 , cf =0 and at 1^/ 1^ and 
at ^ both 0. The transitions affecting Q3 are those at 
^4*^6' ^4* transitions at preserve Q3. However, 

the transitions at 14 / 1^4 change the value of sequence variable 
b to t^ and t .2 respectively. Hence, two additional invariant 
assertions, 

Q4: at 1^ !:> ( == |b| + 1 ,' 

Q5: at ^ f It 2 l = )bi - O 

are required. 

Q4, Q5 are initially true because both antecedents are 

f alse . 

Q4 may be falsified only by the transition at I 2 , 
and this transition makes both at 1 ^ and ( |t^l = lb|+ 1 ) true. 

Similarly, Q5 remains true after the transition at m^/ 
which is the only transition that can falsify Q5. 

Hence 

0 Q4 

1^DQ5 by Invariance Principle. 

Next, considering the transition at 1 and Q3, it 

4 

increases at 1 ^, by 1 and also increases !b! by 1 

(from DQ 4 , j tj^l = fb! +1 before this transition occure) thus 

preserving Q3 , 

Similarly by Dq 5, the transition at m^ preserves Q3. 
Hence, 1= D Q3. 
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From Q3, |b! is always the sum of non-negative values# 
so that !- ' ( b >, 0 ) . 

Further# it is always true that, 

lb! - of = at 15 /i^ + at ^ (by Q3) 

^ 2 ..& 

= N - of + ce (by Q2) 
so that always f b| - of N - cf + ce 
or 

lb} ^ N - ce . 

Hence , t= D !bi 4 N# because semaphore variable ce is always / 0 • 
This shows# 

1=0 (^04 lb!4: nX 

1.2 Owicki-Gries Method 

The foe} ^proach is to derive formulae q}# where 

S is a statement from an Algol -like language, extended to include 
the cobegin construct and a primitive construct, await . The 
await construct provides synchronisation and mutual exclusion. 

The notation |P } S { q} has exactly the same meaning as in 
Hoare Logic# i.e. if P is true before execution of S, Q is 
true after execution of s , 

The axioms and inference rules for sequential constructs 
are the same as in Hoare Logic 
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null J Skip £ p ]■ 

assignment {pJ }x; = Efp} 

[pAb}Sj^{q}^ {p Aib } s ^f q} 
[p } if B then else {Q} 

{PAB} s {p} 


alternation 


ITERATION 


COMPOSITION 


consequence 


{P] While B do S 

l UJ Si {P2?UP2) ty fpj fp„,J 

{PlJ begin end } 

{Pj S iQl}^ P f-P^, - Qi j. Q 

M s iQ 1 . 

The sotation P f means it is possible to prove 

using .P as an assunrption, in a deductive system which is valid 

data types and operations used in the programming 
language. 

A proof-outline is a program annotated with assertions, 
such that if a statement, s, occurs between two assertions p 
and Q, then {P} s {q}is derivable. In a proof-outline, two 
adjacent assertions denote a use of the rule of 

consequence ^ where Pif-P2« 

EdCh statement S is always preceded directly by an 

assertion called its orecondit inn / \ 

preconaition/ written pre (s). Similarly 

the postcondition post (s), is the 

^ VO/, is rne assertion following statement 

s. 

For exarrple, the program 

S - begin X:=a; if e then else S2 end, may have 
the proof outline. 
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begin 


1 

end 


i P I 
L J 

^ a J 


X: = a; 

V 

i J 

If e then 


I /\ e V 


1 

I “i i 

else [ Pj. A '1 e )■ 

®2 

{°i] 


wtA\ cw'i oaurrent€^ 

(fl X subs/i^ufed o.. 



In this proof -outline pre(X:=a) = P^ ' P^® ^^2^ ~ ^1 
post (if e then else s^) = Q-j^/ etc. 

The cobegin statement has the form 

Cobegin li S 2 ii jfs^ coend, 

Si^ statements of the programming 

language - each may also be called a process. 

Obviously, the indivisible actions of the processes 
are of interest. 

Each assignment statement and each expression is an 
indivisible action. 

Thus the grain of interleaving is fixed at the 
elementary-statement/expression level. A finer grain of 
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interleaving -i the memory reference-may be assumed, if programs 
adhere to the following convention 

- Each e3<pression and assignment statement refers at most 
once to a single variable that is changed by another process. 

For example ^ let a^b^c be variables that are changed 
only by process and X,y,z be variables that may be changed 

by several processes 

Then statements 

/X) : = (a) 4- /b) —(c) * 5 , <b): = (a) - (c) * (y)r , 

within process satisfy the above convention. 

The expression (x) + (y) * (c) doss not satisfy 
the convent ion, as it refers to two changing variables 
X/ y. Similarly, the assignment statement (X): = <(x) +<fa) * /py 
does not satisfy the convention, as it refers twice to changing 
variable x. The concurrent assignment statement ^■x),{y): = 

<(a+b, b-c)also doss not satisfy the convention. 

The following example shows why the convention is 

needed . 

{ X = 0 f 

Cobegin <X ; = X + 2) !l <( X: = 3)> coend 
J X = 3 V X = 5 I 

Either >(X:=3) occurs last, in which case i_X=3j' 
ipon termination, or <(x: =3/ occurs first, in which case [x = 5 } 
upon termination 

Sg: \ X=0 f 

Cdbagin <^x): - <fx)+ 2 H <^X;=3) coend 
\ X =2 V x=3 V x = 5 } 
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In this exanple/{X:=3/ may occur between the two memory 
references of <(x); = (x) + 2 , so that 2X=2} upon termination. 

Clearly (X) : = (X) + 2 cannot be assiomed to be an 
indivisible action ^ if the variable x is changed by other 
processes . 

On the other hand, if an action has no more than one 
reference to a single changing variable, the whole action may 
be taken to occur indi visibly at the moment of that memory 
reference. This is because, by the convention, ail other 
references by this action are to variables not changed by other 
processes, hence all such references can be 'translated in 
time’ to the moment at which the changing variable is referred. 

In sum, because of adherence to this convention, a 
memory reference level grain of interleaving, is eqxaivalent 
to an element ary- statement/expression level grain of interleaving- 

The cobegin statement is defined formally, by the 


rule 

I p, i S, ( Q- , jp is } are interference-free 

COBEGIN •; = =- - ' 

i A. , . APjj ]■ Cobegin li ... if Coend I • • A 


The interference-freeness of a set of formulae jp, 1 S, ) Q,?, / ./ , 
guarantees that, the formula ^ I S^ 1 0^^]- derived for some in 
isolation, remains valid, despite the interleaving of indivisible 
actions from Sj ^1 ^ j n , j i . 

Definition of non-interference. Given a proof -outline 
s I Qj and a statement T with precondition pre (T), T does 
not interfere with j- s | qJ if the following hold 
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(i) fQ /’‘pre (T) j- T ), q(, 

and (ii) Let S' be any statement, of S but not within an await . 
Then^ 

[Pre (S') .A Pre (T) f T { Pre (S')} 

Definition of interference-free. | Pw S, ) Q/( , . . . . 4 P. ( s >Q I 

^ 1-1' L n- n - n-> 

are interference-free if the following holds. Let T be an await 
or assignment statement (which does not occur within an await ) 

ptocess Sj^. Then for all j, x, T does not interfere 
with Pj J S^ {q^}. 

statement has the form 
Await B then Sv* 

where B is a boolean e>p)ression. 

The whole await statement is an indivisible action. An 

aj^ statement cannot contain a cobegin or another await . 

The process within which the await occurs waits for the 

condition B to become true, and then performs S. No action 

from another process may be interleaved between the evaluation 

of B (to true) and the sxibsequent execution of S, 

The formal definition of await is 

iPAB} s Q f • 

AWAIT — ^ 

[ P } Await B then S ( Q } 

Obviously, the statement S within an await need not 

adhere to the convention given above for reference to changing 
variables, 

L OG j also uses Auxiliary variables. Auxiliary variables 
are used only for proof purposes, but not for the program itself. 
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No Axojciliary variable may occur on the right side of an 
assignment. Such variables serve two purposes. 

(i) As location variables^ to indicate where control 
is within a particular process. 

(ii) TVs history variables to record the effect of the 
past conputation on some variables; eg. the nvimber of Wait or 
Signal operations on a semaphore variable. 

The LOG j system without Auxiliary Variables is incomplete 
(ref. [ 002 ] ). Auxiliary variable Transformation. Let AV be an 
axaxiliary variable set (i.e. the set of Auxiliary variables) 
for S’ , and ? and Q assertions that do not contain free 
variables from AV. Let S be obtained from S* by deleting 
all assignment statements with assignments to the variables 
in AV, Then 

tp ] S’ Iq j 

Pi ® 5“} 

1.2,1 Example Producer-Consumer 

The proof of a producer- consumer program, from 
CoGj, is shown < 

The program is to copy an array of values A['l,.Mj into 
an array B[l,,Mj, The producer must pass the values from 
array A^ to the consumer, which puts them into array B, A 
bxaffer, of maximxim capacity N, is interposed between producer 
and cons\amer. The buffer description is. 
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B\iffer ro,,N-lj is a shared array; 
i = number of elements added to buffer; 
j = number of elements removed from buffer; 

The Buffer contains i-j values/- in the order 
Buffer Tj mod N ]/.../ Buffer [(i-1) mod nJ* 

Two semaphores Full/ Empty are used to synchronize 
access to the buffer. Empty gives the number of vaccant 
slots in the buffer/ Full gives the number of occupied slots. 
The semaphores are translated into awaits, using 

Wait (sem) ^ Await sem ^ 0 then sem: = sem-l. 

Signal (sem) Await True then sem:= sem+1. 

Auxiliary variables, which coxint the number of 
semaphore operations performed, are also introduced, 

S : Begin 

Full: = 0; Empty: = N; i:=l; j := 1; 

Cobegin 

Producer: While i.<. M do 

\ 

begin X: = A LiJ » 

Wait (Empty)* 

Buffer fi mod nJ : = X; 

Signal (Full); 
i: = i +• 1 


end 
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Consumer: While do 

begin Wait (Full); 

y: = Bviffer Ij mod Nj; 

Signal (Errpty); 

B fj): = y; 
j;-j + 1 

end 

Coend 

End 

S* : The Program with Aioxiliary Variables and Awaits is. 
Begin 

Full: =j(}.Enpty: =N; i:=l; j:=l; 

Wfull, Sfull, Wenpty, Senpty:= 0,0, 0,0; 

Cobegin 

Producer: While i do 

begin X: = A [ij; 

Await Errpty )> O then 

begin Errpty: = Errpty - 1; 

Werrptyi = Werrpty + 1 end; 
Buffer [i mod Nj: = X; 

Await True then 

begin Full: = Full +1; 

Sfull ; = Sfull + 1 end; 

i::i + 1 


end 
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Consumer: While do 

. . begin Await Full ^ 0 then 

begin Full : = Full - 1 ; 

Wfull: = Wfull + 1 end; 
y:= Buffer Cj mod . 

Await true then 

begin Empty: = Empty +1; 

Senpty: = Sempty + 1 end; 

Bp]: = y; 

j: = j+1 

end 
, Coend 
End 

Let I be the assertion# 

I ^ (Bxaffer [,k mod Nj= Arkj# for K: Senpty «( k^Sfull) 
A Full = Sf\ill - Wfull ^ 

A Empty = N + Senpty - Wenpty 

A 1 4 i M+1 
A j ^M+l. 

I is the fiindamental program invariant - it is not 
interfered with by any producer or consxnner action. 

The proof outline for the main program, using I, is 
Begin 

Fxxll : = 0; Enpty: = N# i:=l; j:=l; 

Sfull# Wfull# Senpty# Wenpty: = 0^0 ^0^0? 

I I Asfull = Wenpty Ai = Sfull + 1 /\ Senpty = Wfull 

A j = Senpty + 1 ] 



Cobegin 


I I A Sfull = X-^eirpty Ai = Sfull + l} 
producer 

^ I i 

] I A Sempty = Wfull A j = Serrpty + l.j' 

Consumer 

{ I A (Bik3= a[j^^ 1 4 k4 m)} 

Coend 

end 

I B [>] = A r ]4 1 ^ . 

The last assertion is indeed the desired output 
assertion, and says that array A has been fxolly copied into 
array B, 

The auxiliary variables can now be removed, using the 
given inference rule, to yield a proof of 

S I b Lk] = aT^^-, 1 m}. 

The consximer proof outline follows: 

IC is the assertion 

ic ^ ( B[_k] = a [ kj, ). 

[ I AlC A Sempty = Wfull A j = Sempty + 1], 

Consumer ; While j A ^ 
begin 

J I A.IC A Sert^ty = Wfull Aj = Sempty + 1 A j 
Await Full / 0 then 

begin full: = full— 1; Wfull; = Wfiill + 1 end; 

AlC A Serrpty = Wfull-1 Aj = Sempty + 1 A } 
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y; = Bxiffer f j N J ; 

^ I A IC A Senpty = Wfull -lA j = Sempty + 1 A M 

A y = A.fj J J 

Await true then 

begin Empty; = Eirpty +1; Senpty:= Sempty -f-1 end; 
A\IC A Senpty = Wf ull A j = Sempty A j ^ W 

Ay = A r j ] J 

B ifU = y; 

1 1 A IC /\ Senpty = Wf ull A j = Sernpty /\ 

ABfjJ=A[j] J 


^ I /\ IC A Senpty = Wfull A j = Senpty + 1 /| M + i j- 
end 

Aic A j = M+i ] 

^lA (B[k|= a[]^ lAk^M)} 

The producer proof outline is 

A Sf ull = Wempty Ai = Sfull + 1 J 
Producer: While i ^ M do 
begin 

2 I A Sfull = Wenpty A i = Sfull + lAiA^ i 
X;r:Ai:ij; 

J I A Sfull = Wenpty A i=SfxiLl tiAi^M A X =,A|i1 } 
Await Errpty > 0 then 

begin Empty: = Ernpty -1; Wempty j:»rWenpty+l end; 
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[ I A Sfull = Wempty -1 /\i = Sfull +lf\x^Mf\x = A [ ij J 
Buffer Li mod N ‘| : ~ x - 

.7 

Asfull = Wenpty-1 /ii.=Sfull +1 A i A 

= A n] } 

Await True then 

begin Full: = Full+l; Sfull :=Sf\all +1 end; 

II A Sfull = Wempty A i = Sfull A i M J- 
i: = i+1 

I I ASfull = Wempty A i = Sfull + 1 A M+l} 

end 

I I A i = Sfull + 1 = M + 1 ,f 

Interference-freedom is quite obvious. 

Examining all consumer assertions, except for -I, these 
assertions involve only variables tised by the consiamer. 

Similarly, for all producer assertions, the consumer 
changes no variables, except those mentioned by I. 

The assertion I is invariantly true in both processes. 

1.3 Larrports method 

[lam 3 i uses the following method to prove an invariant 
Q for a program S, 

Assume h after (s) Q. 

Now find a predicate P such that 

(a) The Initial condition implies that P is true 

(b) t[p} s [true} 

(c) h P Q. 
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Of course / to derive i ? j S >^truei- the entire program S is 
examined from the atomic actions upwards and the axioms and 
rules of inference are used, 

A formula S {Qj in [LAM 3 j has a different meaning 
from one in [OGj , P may depend on program control locations^ 
in addition to the data variables. The elementary predicates 
for control locations of a particular statement S, are atCVj^in 
CS' ) and after ('S' )^at ('S' ) is true when control is at the 
beginning of (i.a. just before) in ('S') is true when either 
at (‘S') is true or control is somev/here within the statement 
S, and after ('S') is true when control is at the location 
immediately following the statement S. h formxila s loj- 
means that if execution is started anywhere in S with P true/ 
then P is preserved/ as long as control is in SjSnd Q becomes 
true upon termination of s. The constraint on P being preserved 
holds only for the actions of S — i»e. it does not prohibit 
some other process from falsifying P while S is executing. 

Suppose S J cobegin li coehd 

Then f '[in (S2) ? S^)true)/ because no action of 
S-j^ can affect the control location of S2 - but# while is 
still executing, S2 may terminate/ thus falsifying in (S2)» 

In other words, some process running in parallel 
with may inter. fere* with the precondition of S^, The 
Gobegin statement inference rule gets around this difficulty* 

Let B ^ cobegin !| S2II II coend 
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s {pj 

Cobegin rule ■- — 

[Pi B Sp} 

i.e. in order to obtain a formula for a cobegin statement it 
must be shown that the assertion P is maintained by every 
substatement of the cobegin and p remains true even after any 
or all of the substatements have terminated. Thus the cobegin 
rule guarantees ‘interference freedom* since P is preserved by 
every atomic action. 

Unlite in TogJ, where the elementary or atomic action 
is the memory reference, £LAM3j| does not fix on any atomic 
action. If an action is atomic, its proof rxile is exactly the 
same as that in Hoare Logic of sequential programs. Composite 
actions are decomposed into atomic actions - and the formula 
for the whole composite action is obtained by given rviles of 
inference. 

The treatment of expressions in is c^ite thoroughly 

Typically an expression involves several variables (and constants) - 
as well as several operations on them. Each occurrence of a 
variable is actually a reference to its memory location. This 
memory reference is explicitly modelled in j^LAM3j by associating 
a ' value* attribute with each atomiic sub-expression. In imple- 
mentation terms, the ‘value’ of an atomic s\ab-expression is some 
private location (such as a register) into which the resvilt 
of evaluating the expression is placed. The 'value* attribute of 
a sub— expression is not affected by any other action, as it is 
totally private. 

So that (a)<x ; = X+l) ( b)<x) ; = <X+l) and (c)(x) : =(x)+ 1 
are all different from each other, (a) is atomic, (b) is 
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equivalent to 

<(value Cx+l*): = X+l'); 

<;^x: = value ('X+l* 

and c is 

Rvalue ('x' ) : = x); 

(value ('<;x)+ 1 '): = value Cx’) + 1 /"; 

<^x: = value ( ‘( 3 c)+ 1 * ) / 

Clam 3] defines an arbitrary expression by the following rules 

(a) <^e) — > -(value ('e' ) : = e^ 

(b) f e^/.-./e^) — > 

cobegin !i e^ll .... cx>end; 

(Rvalue ( * f (e]^#e^#'. . . ,e^) ‘ ) : = 
f (value (‘ej^*)^ value (' 62' )/.... #value('*ej^' )) ^ 

Although the rules are siirple enotigh, a system allowing 
this degree of interleaving does not always match the common 
sense interpretation, 

e.g. While <(a) V 

S 

od 

The boolean expression (a) V 1 -(a) may become false if 
A changes from false to true between the two memory reference to 
A (assuming the first (a)> is fetched first). 

As a last example, the producer-consumer program is 
proved using ["LAMsi. 
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Example Producer— Cons inner 

var ; array C1 ..m 1 of T; 

Buffer: array£o, .N-1 j of T; 
i/j: integer; X,y; T; empty, f ull : semaphore; 
i; = 1; j:=l ; errpty:= N; full:=0; 
cobegin 

Producer: li^ile 1^: '(iv<M> do 

1^: <x :- A ri3/; 

1^ : / wait (empty)) j 

±2 : -(Buffer fi mod N j : = x); 

: (Signal (full)); 

I 4 : <i 

od 

il t 

Consumer : While m^ : ( j £- N ) do 

m^: (wait (full)); 
ml: <y: = Buf fer j mod nJ); 
m2: ( signal (enpty)); 
m3: (B[jj : = y) ; 
m4: /j; = j+l) 
od 

coend 


End. 


It must be shown that finally A[ k.j= k: l(k(!M. 

To do this it must be ensured that the buffer length is 

always between O and N, If the producer is about to access 

the buffer (at (I 2 ) ) then the buffer length is between o and N~1 
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whereas if the consimer is about to access the buffer (at 
then the buffer length is between 1 and N, 

Usually the buffer length = i-j. 

Also usually, 

i-j = N-errpty 

(because whenever the producer increments i and 
overtakes the consumer, it also decrements ‘empty') 
and 

i— j = full 

(again because the producer increments i and signals 

'full' when it overtakes the consumer), 

fxxll and enpty, being seaphores, are always ^ 0 . 

Hence, 

i-j 4 N 

and 

i-j y/ 0. - . 

Actually, there are several special ceises which are examined in 
the proof , 

Firstly, the atomic actions are examined 

\ true f 

i; =1; j: =1: empty: = N; full; = 0; 
i = j = 1 A empty = N 4 full = 0 J 

Notation used 

II £ A[k.J = B[kJ^V k; l^k<’j 

rj:ij Buffer = A ^ Bxaffer[k mod nJ = Afkjtk; j^ k^i 
("jiij Buffer = A ^ Buffer [ k mod = AfkjY)^; jA 
jljti) Buffer = A ^ Buf fer i k mod nJ = A[)^Yk: j4kCi 


etc* 
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'Predicate* 1*2 = .'Predicate' is true# then 

holds, else P2 Kolds. 

The 'predicate* used will always be the control 
location predicate . 

Producer: f i ^ M /\ 

at --> i-j = full, i-j = full + 1 
A at “ N-empty, i-j = N +1 - enpty 

A at j:i; Buffer=A, (.j:i) Buffer = A | 

Ig •■^3C :-ALi]/ 

i'x = A [il A i4 M 
A at i -j r fui}^ ] _ j tyij + 1 , 

A at m_ „ I : N - , i -j ” Kf -eniPA^-tl 

O • • Z J ' J 

/i "'0..2 ^ 2 'u.ffej r A , C j : I j Stiver = A J 

(enpty)^ 

[x = AjiJAi^M 

/] at ? i-j = full, i-j = full +1 
A at 1- j-N- (enpty+ 1 ) , i-j = N-empty 

A at n'o.. 2 ~~^ B^Iffer=A, (j:i) Buffer = Af 

i 

This means buffer length = i-j, at m ^ 
also (i-j = N-l - empty) ::> i-j<(,N-l, at 
so that buffer length < N-l, at m ^ 

AND buffer length = i-j-1, atm, 

also^-j = N-erapt^D i-j 4 N, at m^ ^ 

so that again buffer length = i-j 4 (N-l, at m 3 ,m^ 

13 * ^Buffer Li mod n] : = 
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Consumer 


Buffer [i mod N.l = M 

A at — T> ±-j = full, ±-j = full + 1 

.A at i^-j = N - (empty 4 l), i-j = N-enpty 

/■at Buffer = A, (j:ij Buffer = A,} 

I 3 :<(signal (full)/ 

at i-j = full- 1 , i-j = fiiil 

/■' at 1 ^ 0 ^ ^2 “ N-(ampty+l), i-j = N-eirpty 

/iat mo^^ 2 '^A.'j 2 ij Buffer=A, (j:il Buffer =a| 

1^ * ■yi • — i“i“l/ 

{ (i / M V i = M+1) 

A at ra^-^i-j = full, i-j = full +1 
./at i-j = N -empty, i-j = N+1 - empty 

^o./2 Buffer = A, (Jsi) Buffer = A } 

: i J < M .A II 

A at 1 q^^ 3 — ^ i-^j = Full, i-j = Full -1 

if 

/'.at - i-j = N-empty, i-j = N - (enpty +1) 

Aat 1 q^^ 2 ^U:i) Buffer = A, tj:i"i Buffer = A 

:<wait (full) / 

{ j / M A II 

A at i-j = full+ 1 , i-j = Full 

Aat 1 q^^ — ^ i-j = N-errpty, i-j = N - (enpty +1 ) 
^o..2 — ^ Buffer = A,Cj;iJ Bxiffer = a} 
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Consider at 1 then 

buffer length = i-j 
also(i-j = full +l) 10 i-j 1 
hence buffer length .2 

now suppose at 1^ ^ then 

buffer length = 1^1 - j 

also, 

(i-j Full/ CD- 

(i-j^. o)o>^-j + 12 l) 
hence buffer length y^l at 1^ 
mi:-^y: = Buffer I j mod N j 
j y= Buffer U j mod Nj= a| j j A j M A II 
A at 1 o ^ = full+1, i-j = full 

.A at 1 , — > i-j = N-errpty, i-j = N- (empty +1) 

X 

A at 1 „ ■— ^j7j:i) Bxiffer = A,ji j:ij Buffer = A J 

m 2 5 signal (empty) / 
ty =Mi:jJ /Ul Aj < M 
A at 1 fxill + 1/ i-j = full 

O ♦ e O 

A at 1 . — > i-j == N+1 - empty, i-j = N -empty 

P# 

Aat 1 « —A (j:i) Buffer = A, (j:ij Bioffer = 


The Buffer assertion has to be weakened because the Buffer is 
circular - so that after signal (empty), possibly Ai, j]/ Buffer 
[j mod n| but instead A;j + n]= B-uf fer [ j mod n 1 , i.e, the 
producer puts a fresh element Aj^j+Nj into empty slot Buffer 
l^j mod Nj. 
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^3 * <^0']; = y) 

{ B Ljl = A fjj Aj^M A II 

A j. nit f 1 , 1 -j = f 


gil 


m 


/\ ai I - j - In' + i * "J ” ^ -trv,ptj 

/ Cj:i) Bn,fP.T.A,Cja3^-lfer..A} 

,4 ; Pj: = j ..;. 1 ^ 

j ( j < M V j = M+1 ) /\ II 


A lo_ 3 -> i-j = full, i-j = full-1 

A 1q^ 4 — ^ i-j = N-empty, i-j = N - (empty +1) 

A Buffer = A,['j;ij Buffer = A } 


Having obtained the relevant formulas for the atomic 
actions, the formulas for corrposite actions can be derived, using 
the inference rules for sequencing and ‘while’ and finally that 
for cobegin. 


Producer; [ } while (i ^m) do 

f A i / 


I* 

P 


prod 


^prod 


^■^prod y 


od 

^V=d A i ) 


Consumer; | P^^^^ } while ( j ;( M > dc 

r p A 1 ^ M } 

I cons ^ -J ^ 


cons 


I P 

^ cons 


} 


od 


Here S 

prod 

is the sequence 
of ^ 


Here s is the.: 
cons 

sequence of mQ;m^; 
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i'p A 

I cons 


j > M ) 


Coend . 

By scanning the atomic action formulas of the Producer 
and Consumer, ^cons 

p = 3 at 1 , (at m^-, i-j=full,i-j=full+l),(at m^-^ i- 

prod - ( o-*3 o 

A at 1 (at m i- j=N- empty ,i-j =N+1- empty ) , 

(at m°y^2 = N-empty) 

A. at 1 (at m Bu£fer=A, (j:l) Buffer=A), 

(at Buffer = A, (j;i3 Buffer = A) 


Aat Z> ^ ^ ^ 


D = i II 

cons — • u . . 

Aat m (at 1 i- j=full,i-j=full-l) / (at 


Aat 



(at 1 

b..r3^ 

Aat 

™o 

^ (at 

^o,r 




(at 

^0,1 

/\ at 


..2 

■> (at 

1„ - 

o • * 4 




(at 

^o..: 


i-j=fell+ 1 

i _'j i.full) 

- 1 )> 

(at 1 i-j = N+l-empty, i- jiN-eirpty) 

0/1 

(at 1 D’i3 Buffer=A,rj:il Bxaffer =A) , 

2. ^ (j:i) Bu££er=A, (j:ij Buffer ~A) 

o • # 2. 

A at ^^^ 2,3 ^ ^ ^ ^ 3 

Aat 3 B[j3= A[j ] I 

Finally using the cobegin rule of inference, 

iP}' 

cobegin 

Producer: \ p} while ^i ^ do 

s 


ii 


i PJ 


^prod 

od 
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Consumers |p| while do 

S 

cons 

od 

[Pj 

Coend 

{p} 

'’prcxJ' ^cons' 


P = at 1 .r-^ (at rn -— > i- j=full,i- j=full+l) ^ (at m-->i-j=full-l^ 

i-j = full) 

/\ at 1 ^ ^ (at m i- j=N-enpty/.i- j=N+l-errpty ) , 

(at m_ i- j=N- (enpty+1) , i- j =N--empty ) 

A at 1 q^ 2 — ^ 2 "^ Tj si) Buf f er=A, ( j : i ) Biaf fer=A) , 

(at 2 '^rj*dj Bviffer=A, Bxaffer .= A) 

/I at 1^ 2 ^ & J 

A at “2,3 " y 

A at _2.> B [jj= A[j J 
after (Producer) i-“> i ') M 
/\ after (Consumer) 1'; j )M i 
Hence at the end of the program, ( P A after (Producer) 

/\ after (consiimer) j 3 

( II A ( j ) M) } 

(a[:x]=bm. 


This is the required output assertion 



CHAPTER 2. 

METHODS FOR DERIVING LIVENESS PROPERTIES 

Liveness properties state that sonething must happen. 

The most well known liveness property for sequential programs 
is termination. Concurrent programs may have other liveness 
properties of interest. Indeed, cyclic concurrent programs 
never terminate. Some examples are: - ■ 

- A process progresses through specified control points, 

- Starvation Freeness: Every request for a non-shareable 

resource is granted , 

- If an unbounded nximber of messages is input to a 
communication medium, some message is output * 

A state of a program is determined by the values of all 
its variables and the control locations (program counter values) 
of all its constituent processes. 

A liveness property expresses progression between one 
family of states and another family of states. Each of this 
pair of f arailies-of-states is characterised by an assertiori. 

For a given program, a pair of assertions (P,Q) is in 
the cel-ation ( leads to ) , precisely when the program is 

guaranteed, to reach a state satisfying Q, starting from any state 
satisfying P. n. 

(P,Q) are in the '■relation ^ is also written as P Q. 

The relation has. two useful properties: 

(i) Transitivity . If P-t.? R and R-v^ Q then P'lJf Q, 

This allows the task of deriving P -u? Q to be broken 
into a series of steps. 
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(ii) Set Inductivity. If is a set of assertions 
and P'V-tQ for all P € S . then ( \i S ) Q. 

hr sr 

( V Sp is obtained by ORing all assertions in ) . 
This property is used for induction on a well . 
founded set of assertions, 

A set S with an irreflexive partial ordering ' ^ , is 

XT 

well founded if 

for all P f. S f the set P _ A x j x € S x p}is a 
finite set. 

Por a well founded set of assertions S > with the above property, 

Jr 

If P-'^fo V (VP/ )J for all P£ Sp then ( V 
For some programs, the above rule is used to derive 
liveness properties by induction on either 

(i) some function of the values of variables, or 
(ii) Some function of the control locations of all 
constituent processes. 

In contrast to safety proofs, which require local 
reasoning and an exhaustive checking of all elementary actions, 
a liveness proof is often complex and may be subtle. 

Owicki-Lanport [olJ and Manna-Pnueli [.MpJ both use 
tenporal logic to state liveness properties, and give axioms 
and rules to derive liveness properties for program fragments, 

A program in [ol] is coded in a simple programming 
language with assignment, sequencing, while statement, cobegin 
statement and (as an extension) semaphores. In [mpJ a program 
is represented as a directed graph, whose nodes are control 
locations, and ^rcs are elementary ( atomic ) actions , Lamport 
[lami] represents programs by flowcharts, i.e. a directed graph 
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with ncxies as elementary actions and arcs indicating control 
flow (an arc may be taken to be a control location). £lAMi 3# 
being an early work^ does not use temporal logic. Two axioms 
about the relation are given, and four theorems. All liveness 
properties are derived using this, in uLAMlJ . 

2.1 Owicki—Lamport Method 

In t.OLj P u Q is represented by the temporal lo^ic 
formula D(P3VQ). 

The two axioms are: 

Atomic actions always terminate. 

Atomic assignment axiom. For any atomic assignment 

Statement S , 

at S after S. 

While Control Plow Axiom. For the statement 

W: While b do S od, 

at W (at s V after w) , 

There are two additional axioms for the P and V 
operations on semaphores (in the extended language). 

Y operations Axioms. For the statement 1: ( \/ (s)) 

safety is)) { Q .] 

Liveness at 1 after 1 

P operation Axioms. For the statement 1: < P(s)) 
safety [q A S>/0^ 

Liveness ( at 1 A OV(s )0)} after 1, 

Additional rules are derived from the above two liveness 
axioms and various safety properties. 
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Concatenation Control Flow. For the statement, S;T 

at S 'Rafter S, at T after T 
at s after T 

Cobegin control flow. For the statement, c;^ Ht coend 

at S after s , at T after T 
at c after c 

Single Exit Rule. For any statement s 

in s c:3 D in s V V after s 
Atomic Statement Rule . For any atomic statement S 

[ p] <S> iQ}> Q (at S ^ P) 
at S ^ (after S a Q ^ 

General statement Rule. For any statement S 

[P} S {qL D (in S.~P), in s ^^a£ter s 
in S ( after S A Q ) 

While Test Rule. For the statement WfWhile <b> do S od 
at W''^5,^(at S/\b) \/ (after W 

While Exit Rule. For the statement W; While do S od 
at wAD(at w.ob) at S 
at WAD (at wr>-i b) after w 
Liveness properties are derived from a proof lattice* 

A proof lattice has a structure which allows rigorous, but 
corrpact and high-level derivations to be made. The level of 
reasoning, being at a higher level than the individual steps 
of a fully formal proof, aids in conprehension. 

A proof lattice is defined to be a finite directed 
acyclic graph, in which each node is labelled with an assertion. 


such that 
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(i) There is a single entry node having no incoming 
edges , 

(ii) There is a single exit node having no outgoing 
edges , 

(iii) If a node labelled R has outgoing edges to nodes 
labelled R^, R2^ . .Rj^/ then 

R-L5.(R2^ V ^2 ....VRj-) holds for the program. 

From the third condition follows # that# if R is true at some 
time# at least one of the R^ must be true at some later time. 

As a consequence# if the entry node assertion is trxie at some 
time# then the exit node assertion must be true at some later 
time. Hence# the theorem# 

If there is a proof lattice for a program with entry node labelled 
P and exit node labelled Q# then P -i-j Q is true for that program* 
The advantage of a proof lattice for deriving liveness 
properties is its ease of imier standing and high-level reasoning. 

The main drawback is that a restricted notation is used 
for derivations which may be quite complex. This sometimes 
leads to convoluted uses of the notation# which may be misleading! 
(i) Mixup of z:>^ z 

This is justified by the temporal logic theorem 
□ (PI?Q)DP'i^Q. 

The safety property I i::- 0 I may be represented as 

I 

4 

□ I 

Similarly in c = at c V b,may be represented as 
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in c 

/\ 

at c at b 


(ii) A single step in the proof lattice Ci.e. an edge) may 
require quite a corrplicated formal proof involving detailed 
examination of a sizeable fragment of the program. Of course# 
this is precisely the motivation for using high-level reasoning. 
Neverthless# each step in the proof lattice must be ‘obvious* . 
These drawbacks can be avoided in a careful derivation. 

A program for two-process mutual exclusion LPET_i^is taken 
as an exanple. 

Program Mutex; 


c: Ql, Q2: Boolean; Last :integer; .. .other variables; 

Ql: = false# Q2: = false; Last: = 1; 
sc ; cobegin 


Process (1) jj J 
coend . 

Process (1); 

Wl; While true do 

NCI: Noncritic al Section 1; 
11: Ql: = True; 
ml: Last: =1; 

pi: While ( Q2) A (Last=l/ do 

rtl: skip 
> od; 

csl: Critical Section 1; 

rl : Ql: ® False 
od 


ocess (2) 

Process (2) ; 

W2: While true do 
NC2: Noncritical Section 2; 
12: Q2: = True; 
m2; Last; =2; 

p2; While ( Ql)A(Last = 2)do 

q2)i skip 
od; 

cs2: Critical Section 2; 

r2: Q2: = False 
od 
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Process 1 and 2 are similar# hence# if Process 1 has 
the desired liveness property# then so does Process 2. 

It is assumed that no Process (i) stays forever inside 
its critical section 

i.e. in after csj^. 

The desired liveness property is 

(LI) at c ID (at at cs^^^ , 

The following safety properties are used# 

t 

(si) I 73 □ I# 

where 

I (in scL-( Last = 1 V Last = 2 ) ) 

A (at w. \/ at 1-. V in NC. n Q. ) -for »- t,l- 

J- jL JL ^ ^ 

A (at m. y in p. V in cs. V at r.. Q. ) for j=l,l 
A (in cs^^ A in P 2 id Last =2) A (in CS2 A in Last=l ) 
The first three terms of I are obvioiasly invariant. Examining 
the foiirth term# i.e. (in cs^ Ain P 2 n? Last = 2) the only 
program actions affecting it are at m^# p^#'m 2 .. 

m^# however# cannot falsify the fourth tdrra, because 
immediately after it is executed 'in P^* is true# i.e. the 
antecedent of the term is false# since in ID T in cs^. 

Considering P-^t suppose it indeed did falsify the fourth 
term, by making in CS^ true while Last A 2# 

[ in A ^2 ^ } Pj^ : . . . [in CS^Ain (Last^=2 ) } . 

This iiTplies that# immediately after is executed, 

(in P 2 ALast / 2), is true# i.e. (Q2 Ahast = 1) is true. Now 

as P^ does not modify ar^r v^^b^s# immediately before 

was executed (Q2 A i‘ast=l) must » Bnt, if this 



52 


were the case, control would have transferred to and not cs^. 
Contraction. 

m 2 always makes Last = 2 and so cannot falsify the fourth 
term. 

The fifth term may be similarly proved, 

I :dOI and at c -3 l, together inply 

at c ~ D I . 

From the invariance of the fourth and fifth terms of I, it is 
easy to see the invariance of the mutual exclusion property 
(S2) i(in cs^ A in CS 2 ) O D Kin cs^ A, in cs^). 

The only statements affecting 'in cs^' are p 2 « Neither 
nor P 2 can falsify A (in cs^ A CS 2 ) . 

Considering Pj, it could only falsify this asseirtion 
by making in csj^ true, while process 2 is already in its 
critical section. But then, the invariance of the fifth term 
of I, implies that control would transfer from P^ to 
(and not cs^) . 

From at c ndn A in cs^) and the invariance of 
-)(in csj^ A in CS 2 ) follows that 

at c KOidn cs^ A in CS 2 ) . 

Another required property is, 

(S3a) Last = 2 AO(in P^) -') Q (Last = 2) 

(53b) Last = 1 A Q(in P 2 ) 13 [J (Last = 1) 

The property (53a) is true, because the only program 
action falsifying Last = 2 is and control, being forever 


in Pj^, could never reach 
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Lastly, (S4a) at O in 

(S4b) at tLi O in W 2 . 

Again from at sc L3 at , follows 

at sc D in 

Similarly at sc LT.* D in ^2 • 

The program must reach the cobegin, when started, i.e. at 
c at sc. 

Consequently, (^at c ::t 3 iJ (i)j/\(at c V D(in A in 
A proof lattice is used to prove Dl vOdn W^A in W^) and 
(53a) and (S3b) iirplies Cat l-j^-a-i- at cs^^^J. 

Combined with the previous step, this gives the desired liveness 
at c 3 [at 1 -^ at cs^^J , 


property. 



PROOF LATTICE 


VO (in w)A inw 2 )ando(I)ancl (53a) and (S3b) implies 
Cat \\ — at CS1 3 
aUl 

ot mi A 0 1 

V 

at mAOl A lasts! 

□ in Pi 




after pisat CSI 
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f OllC3WS 

( 1 ) 

( 2 ) 

(3) 

(4) 

(5) 

( 6 ) 

(7) 

( 8 ) 

(9) 

( 10 ) 

( 11 ) 

( 12 ) 

(13) 

(14) 

(15) 


Atomic 


The various steps in the proof lattice are derived as 


Single exit rule, in Pj^r^D'in V Y/' after 
D in W 2 is assumed to hold eventually* 

in ^2 = ( at 1^2 \/ at I 2 V in NC 2 \/ at ^ ^2 V ^2 ^ 

and using the theorem 0(P V Q) y P y v Q 
For all these nodes within the outer box, 0 in is 
true. From Uin P^, Last = 2 and (53a), follows OLast=»2. 

While Exit rule for P^. 

Single exit rule, in NC 2 Y:t^Liin NC 2 V V after NC 2 )* 

From 0 in NC 2 and the invariant I (i.e. Q (in NC2 Y»iQ 2)) 
follows O YQ2. 

While Exit Rule for Pj^. 

By assuirption in cs^ after cs^. 

Single Exit Rule in P 2 Y) { 0 in P 2 V V after P 2 ) • 

(Last =2 V Last=l) is assumed to hold in sc, by D I. 

The theorem (Last =2 V Last=l) :::p V Last=2 V V Last=l* 

From 0 in P 2 ^, Last=2 and (53a), follows D Last = 2* 

While Exit Rule for P^- 

From din P 2 , Last=l and (53b), follows D Last*l. 

While Exit Rule for P 2 « 

‘after P 2 ' contradicts the fact that Q in holds for 
^11 nodes within the inner box. Hence, the next edge 
leading to ‘false*. 

The other steps in the proof lattice follow from the 
Statement Rule. 


*Box Notations Drawing a box labelled Q Q arovind some nodes in 
the lattice (Q is • any assertion) signifies that 0 Q is to be 
ANDed to the assertion attached to every node in the box. 
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2,2 Manna-Pnueli Method 

■ r 1 ' ^ 

In each process (sequential) of ^concurrent program 

is represented, as a directed graph, in which the nodes are the 
control locations. Each arc represents an elementary action. 

Associated with each arc is an enabling predicate, which must be 
true for the elementary action to occur, and an updating function 
which updates the values of all variables simultaneously and also 
updates the location variable (i.e, program counter), of the process 
to which the arc belongs . 

Foxir rules are given, to derive P 'i.y Q for a given 
subgraph of a directed graph (i.e. for a given program fragment) 
in MP terms, is the Temporal Logic theorem 

Actually, the rules are used to derive formulas of the 
form P f\ QX-0(some consequent). That is, progression between P 
and (say) Q is guaranteed, subject to the invariance of X , 

(i.e. Q X (Pn-^Q)). In those cases where no additional invariant 
is required to guarantee progression, K. = True. 

The fotir rules follow. MP uses ’(at 1 A 0)* for P, and 

A predicate 0 is said to be IC -invariant if is 
preserved by every transition which preserves ^ . 

i.e. for every elementary action,^? 

10 AX < i 0 y iX.} 

That is, for every ‘A , 

[0 ifi y) A^(7r; y]=^j0(r^( rf^' 
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(ESC) Rule of Escape 

Consider a location 1 in process Pj. Let 1- = 

be sorne s-ubset of the set of all transitions orgihating in 1. 
Ik 

Let 1 ,,.*1 be the destination locations and be the 

enabling predicates of transitions location 1 

must be deterministic, i.e* the enabling predicates c and c* 
of any two distinct transitions originating in 1 must be disjoint^ 
so that ~i(c A c* ). Let Xand 'Y be predicates such that: 

A: ^ is (at 1 A X ) -invariant. 

This meens that as long as control remains at 1 and XS 
presered, so is 0, 

B; Any of the i=l,,,.,K, transitions of JT that preserves 

and is initiated with 0 true, achieves 3^. i.e, 

(.at 1 Acj_ (y) /\ 0( 7r;y)AX(f; y)A^(rj_(7r); f^Cy)}) 

Y (rj_( ; fj^Cy)) 

for every i=l,.,.,K, 

Here rj_ is a function on the vector of location variables 
that vpdates the location variable of process Pj from 1 to 
1"^ (all other location variables are maintained), 

C: 0/\X^/\a.t 1 ensures that at least one c^, i=l,.,,,K is true 
(i.e. at least one transition X is enabled) , 

Then -under these conditions 

i. A 0 ^ O y.') y 
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(ALT) Rule Of Alternatives 

This irale applies to a set of' (possibly nondeterministic) 
locations , Let L be a set of locations in the process Pj and 

T~ = iS.^****V\^ of all transitions originating in L 

Ik i 

and leading to locations 1 outside of L, l,e. 1^ L. 

Let Y be predicates such that: 

A: JZf is (at L/XX- )-invariant. 

This means that as long as control remains in L and 

% is preserved, so is 

B: Any of the i=l,,.,,K, transitions of X that 

preserves X- and is initiated with 0 true, 
achieves 3^, i.e. Y' will hold after the transition. 

Then under these conditions 

i=(at L A A D X J ID fn(at lA iZf) V V T 3 
(SEM) Semaphore Rule 

Rule ESC above is adequate for dealing with locations for 
which the disjunction of all their enabling predicates (on all 
the outgoing transitions) is identically true. A location which 
does not satisfy this requirement is called a semaphore location. 
A stronger rule than ESC and ALT, is required to reason about 
semaphore locations. 

Let 1 be a (possibly semaphore) location and 
the set of all the transitions originating in 1. Let l"^ and c"^, 
for 1=1,... /K, be respectively the destination location of 
and its en^ling predicate. 
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Let 0f ^ and y' be predicates such that; 

A: ^ is (at lA ^ ) -invariant. 

This means that as long as control remains at 1 and 
^ is preserved, so is 

B: Any of the transitions of Z , which 

preserves %■ and is initiated with true/ achieves IK 

C; If hold permanently at 1/ then eventually 

one of the Cj^/ i=l,.../K, will be true. That is 

,k 

!' 0 (at 1 A A X ) 

Under these conditions 

\= (at 1 A A Q ) ::9 V lA 

(SP) Single Path Rule 

In this derived rule, ESC is applied repetitively to a 
sequence of locations. 

Let 1^/ 1^,...,!^'*’^ be a path of deterministic locations 
in Pj with an immediate transition oC^ from every li to 

1—1, ... ,k. 

^i^L^ ^ ‘ V2ii/ 

Let and he predicates such that ; 

A; Each 0^ is (at 1^ A ^)-invariant, i=l,..,,K, 

This means that as long as control remains at Ij^^ and 
AS is preserved, so is 0^, 

B: Each transition Kj^t i=l,...,K, which preserves ?C and 
is initiated with 0^ true, achieves 
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C: .i0^AX) at .lj_ ensures that is true, i.e. 

[at A c^. 

Then under these conditions 


b i (at 1. A j?. ) A Q )• 

'' i=l ^ 


That is, if control is anywhere in the path with the 
appropriate 0^ true and Xj is continuously maintained, eventually 
is true. 


2.2.1 Example-Generalized Dining Philosophers 


A number of philosophers are seated round a table, on 
which there are the same number of forks. A philosopher 
continuously cycles between Thinking, picking up the two forks on 
either side and Eating, then again Thinking, .JdijiJ , 

It is assxmed that the nximber of philosophers is at 
least three. 


Program Dining Philosophers? 

^ 3 ^ N = some constant J' 

Mutex; Semaphore; 

Privsem; Array [l,,Njof semaphore; State ;Array |_ 1 . .n J of 
integer? 

Mutex; =1? 

Fcf ail i, 1^'i^N do 

State |,ij;:;0 ; Privsem [ij : = 0 

od; 

cobegin 

Philosopher ( 1 ) j| Philosopher (2) || .....I/ Philosopher (N) 


coend 
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Philosopher (i) 

Th: Think; 
k : Wait (mutex); 

1 : State [ij: =1; 
m ; Test Sc Set (i); 
p : Signal (mutex); 
q : Wait (Privsem Ci3); 

Eat: The philosopher eats; 
r : Wait (mutex) ; 
s : State Li}s=0; 
u : Test Sc Set (LI); 

V : Test Sc Set (Rji) ; 
w : Signal (mutex) ; 
y : Go to Th; 

Note: State may be interpreted as. 

State ri]= 0 - Philosopher (i) is Thinking; 

State [i3= 1 - Philosopher (i) is Hungry; 

State Ci}= 2 - Philosopher (i) is Eating. 

Li and Ri are the left and right neighbour of philoeopher i, 
respectively. Thus for philosophers numbered 1 to N, 

L(i) _ If i=N then 1 else i+1, 

R(i) _ If i=l then N else i-1. 

The control location of each philosopher is shown by 
the s\jLbscripted label of the control location, where the subscript 
is the nxarriber of the philosopher. 


Test & Set (i) is an abbreviation 
for the atomic action: 

^ Xf St ate |"l i J ^ 2 

Astate EiH = 1 

/Estate CRiJ?^ 2 

then State f iJ: =2 

Signal (Privsem (i)) 

N 
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Thus (at T h^. ^ ) is true if the left neighbour of 
philosopher i is thinking. The subscript is dropped in case of 
philosopher i# itself. Thus (at Eat) is true if philosopher i is 
eating, 

Sxibject to a constraint, it is proved that for any 
arbitrary philosopher i, 

js at k -3 y at Eat. 

It is possible for the two neigljbours of philosopher i, 
to block i from ever eating, by suitably interleaving their own 
eating. The following constraint prevents this: 

D state f^i 1 ZD Si 1 (State iLi3= 2 \J State £ Ri J = 2) 

Let Nbrsin ^ (state CLiJ= 2 V State rRi]= 2 ), 

- Either neighbour of Philosopher (i) is Eating, 

The constraint is 

b D state £ i j = 1 TD V Nbrsin 

- If a Philosopher is forever hungry* then sometime 
both its neighboxjrs will not be eating. 

Required Safety Properties: 

Ql: Mutex +V'i:(at + at + at p^)+^:(at s^^+at v 

+at w^) = 1 . 

Q2: ; (State Li]= 0 V State [il= 1 l:- P rivsem ri]= 0) /\ (Mutex >/ 0) 

A (Privsem LiJ= 1 i--' State TiJ^ 2 )/y! (State fil^ 2 
V (^State I^Ri] = 2 ) ) 

/\ (at A State [i 1 = 2 =5 at A Privsem [^1= D 

Initial Condition^ (Mutex=l)A^ Estate [i}= 0 A Privsem [i3=0) 

A ^ i'Aat Th^). 



63 


From# Initial Condition ir>Qi A Q2 and the invariance of 
Q1 A Q2, follow 

D ( Q1 A Q2) . 

Two other safety properties are required# which are of the 
form I A 0 R r:) Q I 

SI: (at q A State [1]= 1)A0'1 (at q A State Ci]= 2) 

Q (at q A State Cil= 1)# for all i. 

This states that if philosopher i is waiting on its 
Privsem# and neither neighbour of i does Test -and-' Set (i) 
successfully# then philosopher i must wait forever. 

The only actions affecting this implication are those 
at qj_# because only these can falsify (at qA State Cil=l)* 

The action at q^ can never occur# as long as State Cil= 1* 

The actions at u_,.# v. . either fail and do nothing, or succeed 
and set State Ci}= 2. But if they do succeed, the antecedent 
term DKat q A State 113= 2) is falsified. So that, 

(at q A State LiJ= 1) A 0 H (at q A State Ci3= 2) 

0 (at q A State ri3 = 1). 

Let Xhe ^ (at cu State C Rill = 2) 

A ( P" State C Li 1 = 2 ) . 

S2: Nbrsin A D 3 □ Nbrsin, for all i. 

In detail, this is 

(State CLi]= 2Vstate[Ri]= 2>/|a ((at State Cri]* 2) 

A (at Instate ELi]* 2)0 ^ 

□ (State Eli 3 = 2 V state r*Li]= 2). 
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The only actions affecting this inplication are those 
^Li' ®Ri' because for any process i the transition 
(State LiJ = 2) — > (State 2) is made only at a single 

location^ i.e. S# and only such an action could falsify Nbrsin. 
However# it is obvious that# if (State L LiJ/2 A 


State L RiJ/ 2) is true immediately after either or then 

K' could not have been true immediately before the action. 


Consider . # 
Li 


at A X State URiD = 2# 
so that even after State Ri | would still 

remain 2 . 

Hence if D/C- does indeed hold, then even the actions at 

^Li' ^Ri falsify Nbrsin. 

The following lemmas are needed for the final proof. 


Lemma 1, 


{:- at SI St Ij^, for all i* 

This states that no philosopher is blocked forever 
waiting on Mutex. 


Lemma 2, 

at A State Li]= 2 y at Eat^^, for all i. 

Any philosopher waiting on its Privsem with its 
State =2, must have its Privsem = 1, and so cannot block at q. 

Lemma 3, 

at A Nbrsin .3 A Nbrsin A state CiJ= 1), 

for all i. 


j= at 1, AiNbrsin I? V (at q^^ A state L i]= 2), for all i. 


Lemma 4 
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l=^ (at /i mutex = 0 r, 3 ?(at qj mutex = 1 )# by the 

Single Path rule applied to path 1^ — p . — > q.» 

-3 »3 3 

p(at Sj*..Wj) /\ mutex = 0 '> 7 (at Yj A mutex = 1 )^ by 

the Single Path rule applied to s . -^u . v . w * y . , 

*3 1 J J 1 

(2)|:(xlrk4r^t.tex = 0 zD V mutex =1, by the last three steps# 
fc at k r>y mutex = 1, by 1,2. 
b at k -p '7 at 1 , by Semaphore rule • 

Lemma 2. Prove at q A State [. ij= 2 V at Eat. 

Again, by Semaphore rule, it must be shown that 
1= U (at q A State rij= 2 ) ^'(P^i'vsem Tij = !)• 
i-- at q A State Lil= 2 LP Privsem TiJ = 1, by Q2. 

1= at q A state [ijl= 2 ip-Vat Eat, by Semaphore rule. 
State j^ij =2 is (at q) -invariant , is seen to be true# 

Lemma 3. Prove at 1 A Nbrsin q A Nbrsin Astate Ci7= 1)# 

at 1 A Nbrsin 10 7 (at m A Nbrs In A state|.i}= 1 ), 

by Escape rule. Nbrsin is (at 1)- invariant. 

!= at m A Nbrsin A State Ci]= l^'^Kat q A Nbrs in 

A State LiJ= Di- 

by Single Path rule ^plied to path m — ^ p — > q# 
(Nbrsin A State ,fij = Ijis at m, at p -invariant# 
at 1 A Nbrsin .u; Y/ (at q A Nbrsin /V State li}= 1 ), 
by the last two steps. 

Lemma 4* Prove at 1 A “I Nbrs In L^'vAst q A state Ci3= 2)# 

Jp: at 1 AiNbrsin :;:>7 (at m AT Nbrsin A State r.ij= D* 


by Escape rule# 
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1= at m AiNbrsIn A state 1 . i j = l*:.<v?(at p A State rij= 2), 
by Escape rule. 

(-|NbrsIn AStatef ij= 1) is (at raj-invariant. Under 
these conditions, Test-and-Set (i) succeeds, 
r-at p A State I ±2= 2 ZD gist q A State 2), 

hat 1 AiNbrsIn o ^ (at q A St ate {^i]= 2), by the last 
three steps. 


Lemraa 5. Proven s A at q Astate iiJ= 1 A State Zr±J/2 --y at Eat. 


b at A (at qAstate!' ij= 1 A state iC Rij ) .o 

V (at A at q A State Cij= 1 State [ Rijj^ 2), 
by Single Path rule applied to — > \,i* 

(at q A state fijs 1 A State 2) is (^t at 

Uj^^- invariant . 

'f at v^^ A at q A State [ i}= 1 A State [r1]^ 2 ^ 

V (at . A 3t q A State L i]i= 2), by Escape rule. 

(at q .A state Ci'}= 1 A State 2) is (at v .)-invariant. 


Under these conditions, Test'&"Set (i) is successful. 

1= at q A State [.ij= 2 V Lemma 2-. 

V at q A State [i] = 1 A State C 2 

V at Eat, by last three steps. 
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The assumed constraint is 

■’ n (state [il = 1 ) V -1 Nbrsin, 



at k 

IT V at Eat. 

(1) 

|?r. at k 

o at 1, Lemma 1. 

(2) 

]=- at 1 

(at 1 ANbrsIn)v' (at 1 A 1 Nbrsin), 

Tautology . 

(3) 

at 1 

At Nbrsin (at q Astate 2), Lemma 

(4) 

¥ at 1 

A 1 Nbrsin (Jat Eat, by 3, Lemma 2. 

(5) 

(= at 1 

/\ Nbrsin L'7(at q A Nbrsin A State [ij=l). 

Lemma 3, 

(6) 

b at q 

A State Li3= 1 ■~:>D(at q A State C i’.]= 1) 

V ^ (at q A State T iJ= 2) 

by Safety Property SI, 

(7) 

fc. at q 

A State [ ilf= 13 Q(at q A State Til = D# 

V V (at Eat), by 6. Lemma 2. 

(8) 

^ at q 

A State [ ij= 1 A Nbrsin 3? Nbrsin 


( Q (at q A State fil= 1) V V (at Eat) I 

by 4 ANDing (Nbrsin) to the antecedent 
and the consequent, ^ 


(9) Nbrsin A D (at q A State i ij= 1) i Nbrsin, 

by assunption C. 

(10) t= Nbrsin , A □ X .HI’ p Nbrsin, by Safety Property S2. 

(11) ipVlNbrsIn 1 Nbrsin \/V i X , by 10. 
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(12) r- I'torsin A □ (at q A State CiJ= 1) r. I’Nbrsin V v'i% , 

by 9^11. 

(13) p Nbrsin A O (at q A State Li J = 1) s' 

V (at A State TRIJ 7 ^ 2) 

(3t A State l. LiJ ^ 2)/ 

by 12, rewriting iX-, 

(14) L- Nbrsin A tJ(at q A State C iL = 1) .O 

r/ (at q A State F ij= 1 A at S.^ .. 
AStateCRllA 2) 

V V (at q A state [ ij= 1 Aat 

A state Li 2) by 13, Tenporal 

'k 

. Logic Theorem . . 


The theorem used 

is [- (A A P P L~ 9 Q ) = (. A A 0 Pp V(P A Q )) 

(15) 

t at 

A at q A State fi] = 1 State [ RiFI # 2 ri 

X/ at Eat, by Lemma 5. 

(16) 

^ at Sj^ 

A at q A State [ i J = 1 A state L’-.I,iJ 2^ 

^ at Eat , by Lemma 6 • 

(17) 

N Nbrsin 

AD (at q A State C ij= 1) V at Eat, 

by 14,15,16. 

(18) 

^ Nbrsin 

A at q A State i i J = 1 ID V 

by 8,17. 

(19) 

at 1 

A Nbrsin td *7 at Eat, by 5,18. 

(20) 

b' at 1 

:: V at -Eat, by 2,4,19. 

(21) 

at k ^ at Eat, by 1,20. 


This conpletes the proof . 
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2.3 Lanport ' s Method 

The approach of i,LAMlJ is different from that of CoL^, 
tMPj . Being an early work it does not make use of temporal 
logic. Each process, of a progracs- is represented in CbamiD 

as a flowchart. Associated with each process is a token, which 
is initially placed on a distinguished arc of the corresponding 
flowchart. Any flowchart has two kinds of nodes (i.e, elementary 
actions) - assignrtpnt nodes and decision nodes. The execution 
of a process is represented by the movement of its token from 
arc to arc. When the token passes through an assignment node, 
the values of variables are updated, whereas, if it passes 
through a decision node, the condition is evaluated and the token 
moves to the appropriate (T or F) output arc of the node. 

In order to derive safety or liveness properties of 
a program, every arc , of every process Pr^, of the program is 
annotated with a pair of assertions, called an input assertion 
(i ) and an output assertion assertion is a 

truth valued function of variables and token positions. The 
output assertion, in fact, is alway either identical to the 
corresponding input assertion, or it is the assertion 'false')* 

The idea is that whenever a token reaches an arc, the corresponding 
output assertion is true . in the initial state each token is on 
an arc whose input assertion is true . Consistency Condition 
(for an isolated process). For each flowchart node, if the token 
is on an input arc whose input assertion is true, Ishen executing 
the node moves the token to an output arc of the node whose output 
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assertion is true. 

This condition, of course, only guarantees the partial 

correctness of an isolated process. 

The entire program is consistent if (i) each process in 

isolation is consistent (ii) For any process suppose 

the token is on an arc oC , with corresponding input assertion 
Ic 

true. Then for all flowchart nodes not in Pr^^, execution 

V 

of the node must preserve the truth of (at a A These 

conditions ensure that, with respect to an annotation, the entire 
program is consistent. (|LAM13 calls an annotation of a flowchart 
a * generalized interpretation' ) . 

The consistency of the interpretation of an entire 
program ±s exactly similar to the interference-freedom of the 
proof outline of a program in Tog 3. 

For two assertions P,Q about a program, [LAMl] gives 
two axioms for the relation ‘'m (leads to). 

Axiom LI; For a generalized interpretation of a program, if 
(a) by assuming the invariance of "i Q it can be 
proved that, 

(i) P " (at^ " arcs C , in all 

processes Pr^; i.e^ if the token of any process 
is on an (arbitrary) arc and P is true, then the 
corresponding input assertion is true, 

(ii) the generalized interpretation for the entire 
program is consistent. 

(b) (^cC I = false^ is an ir^vitable Set. 

inevitable set for a program is a set of areas. 
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such that for some process Pr^^# every closed path 
■ in process Prj^ contains an arc in the set, and all 
exit arcs of process Pr^^ belong to the set). 

Then P "M Q. 

This axiom describes the method of ensuring, for a given program 
and pair of assertions that Q. 

The idea is to assume the invariance of ~iQ, and show 
that starting in any state with P true, always ends up in a 
contradiction. Under the invariance of n Q, some arcs may 
be annotated with the output assertion 'false', because the 
token can never move to such an arc without violating n Q, 
Further, if forsome process Pr^,, every loop ajod exit arc is cut 
by an arc with output assertion 'false', it follows that every 
execution sequence starting in a state with P true, ends up wi-ch 
the token of process Pr^, moving to an arc with output assertion 
'false'. Hence, the conclusion, P-<t.^>Q (i.e., the falsity of 
P /) 0 '( Q is eqixivalent to P T/ q ) , 

Axiom L2: (a) The relation V Q is transitively closed. 

(b) If Sp is a finite set of assertions, and 
for each P (= Sp, then (\/ Sp) Q. 

The following derived theorems are also of use. 

Theorem; If !r (a r; b) (A Z' B is invariant), then h B. 
Theorem: If Ik C (“IC is invariant) inplies A B, 

then A bVC. 

Theorem: If ffc (C is invariant) and c is monotone (execution 

of every flowchart node preserves c) inplies b 
then A A B.AC, 
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Theorem: Let Sp be a finite well founded set of assertions, 
(with an irreflexive, partial ordering • and Q 

be any assertion. 

If (V :^) V Q/ for all Pe Sp, then (V Sp) Q. 

(Note: P/ ^ X e Sp A (X < P} } ). 

The major difference between lLAMIJ and [ol], Cmp 3 
is that in ElamiJ the entire program must be examined to derive 
P Qf whereas in the other methods, rules are given to derive 
P Q for a program fragment. Of course, in order to derive 
P-njiQ for two arbitrary assertions P,Q, the actions of the 
entire program are relevant. However, in C.0L3,CMPj this global 
interaction of the entire program is captured by means of safety 
properties (invariants). These safety properties must be derived 
first, but their derivation is done conpletely independently 
of the liveness properties. In COLj, CmpI, once the required 
safety properties are shown indeed to hold, P-t-^Q is detived 
trivially by applying one of the given rules, 

A related point is that, in both l ol3, Cmp 3, the 
assertion P mxast be the conjunction of a location predicate 
and (possibly) some other assertion (i.e. P at 1 A 0). The 
location predicate identifies a program fragment, to which a 
liveness rule is applied. Such a constraint on P is obviated 
in [lamiJ by condition (a)(i) of axiom Ll. 

The methods of Col] and [mp] are similar in many 
respects. Both use Tenporal Logic to state and reason about 
liveness properties. Both give rules for deriving the most 
elementary liveness properties for a fragment of a given program. 
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The more conplex liveness p^-operties are derived from "the more 
elementary ones by the standard techniques of induction and 

enumeration (case analysis ) and by maJcing use of the transitivity 
of . 

The rules are given for program fragments, which in terms 
of LOLj are atomic or conijound statements, whereas in TmpI a 
program fragment is a set of control locations and all the 
associated transitions. The LOlJ method is used with a programming 
language in which all constructs are single-entry, single-exit. 
There is no such restriction in IMP 3. However, an arbitrary 
program can always be converted to one using only single-entry, 
single— exit constructs, so this difference is not at all 
significant. There is one major difference between the two 
methods -Col] is based on the use of invariant assertions, whereas 
MP 3 uses inteirmittent assertions » 

2.4' Invariant Assertions-intermittent Assertions 

An invariant assertion is an assertion associated with 
a control location, such that the assertion is true every time 
control reaches that control location. An intermittent assertion 
need only be true sometime when control reaches the associated 
control location. An intermittent assertion is guaranteed to 
become true atleast once. An invariant assertion may never become 
true-that is, control may never reach its associated control 
location. This difference between [OL] and [mpJ is illustrated 
by the following - 
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(Assume only single-entry, single-exit constructs are 

used ) , 

for a compound statement S, it is required 
to know the conditions under which it is guaranteed that 
control reaches after S with some assrtion Q true, i.e. the 
conditions required to derive ^ (after S A Q) . 

In lOLJ the required conditions are 

[p} S ^□(in S in S after S, in S 

(7 (after S A Q) 

Thus, an invariant assertion iPj-S jQI has to be established. 
The program control flow in S'"!--? after S, is treated separately 
from assertions P,Q, The invariant D(in S P) is also reqirlred. 

In !.MPJ the required conditions are 

P A Oin s .r.?DP# in sap -l.-? after SAQ, in SAP 
X7 (after S A Q) 

ry 

That is,P must be shown to be preseprred as long as 
control is in S, the liveness must be shown between conplex 
assertions (not simple location predicates), and initially 
P /\ in S must be shown to hold in contrast to in S alone 
as reqtiired in CoL?, 

In a method using invariant assertions, the two 
properties of partial correctness (i,e,|.P] S {Q}) and termination 
(i.e. in after S) are regarded as distinct properties. These 
two properties are combined into a single liveness property 
(i.e. in S P after S A, Q) in a method which uses intermittent 
assertions. 
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Manna and Waldinger fMwJ point, out that any proof derived 
using invariant assertions may be converted (almost trivially) 
to one using intermittent assertions, but the converse is not 
true. A method using intermittent assertions is then more general 
than one using invariant assertions . 

However, the naturalness and power of an intermittent 
assertion method is achieved at the cost of intertwining the 
properties of the abstract objects manipulated by the program 
and the control flow of the program itself. This issue was 
raised by Gries [gri 2], who maintains that such an intertwining 
of properties of abstract objects and program control flow, 
contradicts the desire for a separation of concerns and, hence, 
concludes that the invariant assertion method is superior 
(for sequential programs ) • 

In sum, an intermittent assertion method is more 
natural - in the sense of being akin to informal reasoning* 

But, a proof derived by this method, may miss out the additional 
insight gained, by using an invariant assertion method. 
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EXAMPLE PROOFS 

3*1 On-the-FIy Garbage Collect og . • 

This is a two-process program to collect garbage in a 
list processing system - the program development is described in 
£dij 2 J and a correctness proof using the Owicki-Gries method^ 
is presented in |,GRI ij-. The two processes are called the 
'mutator' and the 'collector'/ and their only indivisible action 
need be the memory reference. 

It is not a good program. The fine degree of inter- 
leaving makes the correctness proof very difficult to understand. 
Minor ohv.'geS/ seemingly of no consequence (eg. interchanging the 
two actions in procedures 'addleft' or ' addright' )# give rise to 
subtln errors. Yet/ because of these very reasons^ it is of 
interest to examine this program. 

One reason for difficulty in understanding this program, 
is that j use is made of the properties of a directed graph with 
nodes of three colours/ whose edges change over time. These 
properties are not at all well known and neither are they infuitively 
apparent - possibly if these properties are proved separately 
the correctness argtiment would be simplified. 

The data structure used in a conventional implementation 
of LISP is a directed graph in which each node has at most two 
outgoing edges (either of which may be missing) - an outgoing left 
edge and an outgoing right edge-. At any moment all nodes of the 
graph must be reachable/ via a directed path, from a fixed root/ 



78 


which has a fixed, known place in memory. The storage allocated 
for each node is constant in size and can accomodate two pointers, 
one for each outgoing edge. A special value NIL denotes a 
missing edge. The directed graph may have cycles. 

For any reaciiable node an outgoing edge may be deleted, 
changed or added. Deletion and change may txarn formerly reachable 
nodes into unreachable nodes which can no longer be used by the 
program (henceforth called the mutator). These unreachable nodes 
are called garbage. Nodes not being used by the mutator are stored 
in a Free List, maintained as a singly linked list. The mutator 
may take a single node from the free list, at a time. It does 
this by deleting the first node from the free list, and adding an 
edge to this node from a reachable node. 

If the free list becomes empty, conputation halts and 
a procedure called 'garbage collection' is invoked. Beginning 
with the root all reachable and free list nodes are marked. Upon 
completion of this marking phase, all unmarked nodes are known to 
be garbage and are appended to the free list. Computation is 
then resumed. 

To avoid the disadvantage of the unpredictable garbage 
collection interlijdes, a second processor, the 'collector' is 
used concurrently with the mutator, to collect garbage on a more 
continuous basis. 

Three constraints were placed on the desired program 

(i) Interference between collector and mutator should 


be minimum 
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(ii) The overhead on mutatpr activity should be as small 
as possible, 

(iii) The ongoing activity of the mutator should not 

impair the collector' s ability to identify garbage 
as soon as possible. 

The program designed in L,DIJ 2) is as follows. The' 
collector has two phases - marking reachable nodes and collecting 
unmarked, unreachable nodes. Three colours are used for marking: 
white represents unmarked, black marked and gray an inbetween 
colour needed for mutator-collector co-operation. 

The graph nodes are represented by an array m 
for the nodes. NIL is represented by 0 and thus the mutator 
itself may never reference node m L 0 J • Each node has three sub- 
fields of interest, mtij. Colour, the current colour of the node, 
m[ij. Left, the node's left son and mfij. right, the nodefe right 

son* 

Two nodes m [ ROot] and mL FREE] are in fixed, constant 
places in the array m. mtROOTj is the single root of the mutators 
graph, while mjjFRE^ is used to indicate where the free list 
begins. An extra integer variable ENDFREE is used to point to 
the last node in the free list. raiFREEj is not a free list node, 
while m l'eNDFREeJ is one . Nodes are coloured by one of the 

three indivisible actions 

Whiten (i) m[:^. colour: = white 

Blacken (i) m[i]. colour: = black 
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atleast-gray (1) if m£i2. colour = white then m • 

colour: = Gray 

(a black node is not affected by this action) 

The mutator uses two procedures to add edges from one node to 
another - 

Proc Addleft (k^ j); 

[Add a left outgoing edge from node k to node jj 
begin mikj . left: = j ; atleast-gray (j) end; 

Proc Addright (k,j); 

|_Add a right outgoing edge from node k to node 
begin m[)^, right: = j; atleast-gray (j) end; 

That is /after adding an edge/ but before attempting 
any other action/ the mutator grays the destination node, of the 
added edge « 

The mutator is in a never ending loop/ repeatedly 
choosing one of the actions available to it (in a nondetarministic 
fashion) . The mutator goes into a busy-wait loop/ if it requires 
a free list node and the free list has only one node. This is 
the only synchronisation between mutator and collector.. 

Program Garbage-Collector; 

Array: m £'0..NJ of node; 

ROOT/ FREE/ ENDFREE:0..N; i/j,]^: integer; 

S: Initialise ROOT/ FREE; left: = 0/ m£oj[, right: =* 0; 

i: = N+1; 

Put all nodes (except O/ROOT/FREE) in freelist /Colouring 

them white/ with ENDFREE pointing to the last node; 

sc: Cobegin 

Mutator I j Collector 
Coend 
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Process Collector 

Cq; atleasfc-'gray (ROOT) 
atleast-gray (FREE) 
C2 : atleast-gray (o) 
Mark Phase 


^3 = 

i; 

= 0 



C4: 

If 

i =N +1 go 

ft 

0 

0 

to 


‘^ 5 ’ 

If 

mfi} . Colour=gray 

goto 


i; 

= i + 1 



Cfy s 

go 

to C4 




atleast gray 

(m [i] , 

left) 


Cgt atleast gray (mlij. right) 

Cio J ^blacken (i)/ 

‘^ 11 * ^4 

^12* = 0 

Collect Phase 

c^2* If i=N+l go to Cq 

Cj^^; If mjij. colo\ir=BlaciS goto G22 

Cl 5 : m [i]. left : = 0 

C16 : right : = 0 

C^^^: mjENDFREEl. left:=i 

Cj^g: E]SIDFREE:=i 

^19* 

G2o* go to 
*^21* (i) 


ik,j are indices of nodes 
reachable from ROOT, k^^O^j^Oj 

Process Mutator 

tNondeterministic Location} 
go to 

I Delete left son} 

m^ : m|_kj[ . left :=0 
m2: go to m^ 

[Delete right son}' 

m^: m[kj,right;= 0 
m^: go to m^ 

[Add left son} 

m_; Add left (k,j) 

D 

m^ : go to m^ 

[^Add right- son} 

m^: Add right (k,j) 
mg; go to m^ 

{Add left son from free list} 

m^; f := m[FREE3. left 
m^Q: add left (k#f) 
m^^: If f=ENDFREE goto 
mi2:addleft (FREE^mjjf] .left) 
m^g : m{f} . left : = 0 
m^^: go to m^ 

{jAdd right son from free list} 
m^gtf :=m[FREEj. left 
add right (k,f) 
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*^22’ 

mi?: 

If 

f=ENDFREE goto m^? 

=23= 9° === =13 

^13 * 

addleft (FREE, mffl .left 


mig: 

my 

Q . left : = 0 


^0- 

go 

to m^ 

0 


Notation \ised in proof- 

Reach (x) = (there is a directed path from ROOT to X/ or 
from FREE to x) V (x = 0) 

UnReach (x) =1 Reach (x) ^ote that Unrsach (x) 0x^63 A ROOT 

Ax?^ pree3 

Black (x) = mjjxj, colour = Black, similarly for White (x),Gray(x). 
Lx = mCxJ. left , Rx = m[x3. right 
^ Black = The nxamber of black nodes in array m[p..Nll . 
at Mark = at ^••‘=12 = at c^ V at Vat c ^2 

at Collect = at c:^3*-*C23 - ft ... Vat 0^3 

Gray— reachable (x) = there is a directed path (k^^/k^, • . » /k^/X) 

where k^^ is gray and k 2 /.»«^kp are white. 

Node k^^ is called’ a "Gray-Source" of node x, 

A node y is called an ancestor of node x if Anc (x,y> 

is trtje. 

Anc (x,y) = (y=x) 

\/ Anc (x, Ly) V Anc (x, Ry). 
i.e. Anc (x,y) is tr\ae if there is a directed path from 
node y to x. 

The subgraph consisting of nodes ^y 1 Anc (x,y)} need not be a 
tree- it may have one or more cycles. 
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Property: Unreach (x) r:vYy L^nc (x,y) -O Unreach (y)J 

i.e. all ancestors of an unreachable node are also 
unreachable. Obviously, if any ancestor of x were 
reachable, x would also be reachable. 

The safety properties used are - 

Q1 : at sc rO' n at collector A Q at Mutator, 

The collector and mutator are cyclic processes, so that once 

control reaches them, it stays in them forever. 

Q2 ; Unreach (x) A Q 1 (at c^^g A L ENDFREE =oc=i)T::'Q Unreach (x), 

for all X. 

An unreachable node is collected only by the collector action 
at - otherwise, if this action never occurs, it stays 
£or*ver unreachable, 

Q3 ; at s T? D (at c^ ^ (IBlack (x))) 

A Ci (at C 2_2 ^ (white(x) Unreach(x) )} ) 

This is the fundamental safety property. At the start of 
Mark Phase (c^) all nodes are non-black. At the start of 
collect Phase (c^ 2 ^ nodes are non-gray and all white 

nodes are unreachable. 

Q4 : \i"y (Anc ( x , y ) -■■}Gray(y)} A Dunreach (x) GO- 

LJ Vy ^Anc (x,y ): d' 1 Gray (yil for all x. 
This is of the form pADritjOp* 

If all ancestors of node x are nongray, they remain forever 
non-gray, provided x is forever xanreachable. 
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‘V* y Cx/Y ) "p White (y ),/ Z'. Dunireach (x)iII5 

OVyCAnc (x,y) White (y)j, for all x. 

Again of the form P A D R D P. 

If a node x is forever unreachable and all its ancestors 
are presently v/hite, then they will all remain foirver 
white. 

This is actually a logical consequence of Q4 and "white 
nodes can only turn gray" « 

Two liveness lemmas are used - 
LI : Jr ' (^at ",A" l"-i^ O ";^ 1= u-t C3 .. p 

i.e. the Mark phase always terminates. 

L2 : j::- at c^3**‘^23 ^ V *^0 

i.e. the Collect phase always terminates. 

3*1»1 Proof of Safety Properties 

Note that, to derive PAD k 3 IJ P/ it must be shown that 
)_ P A Rj- Any individual atomic action |P V "1 rJ", 
i.e. at 1 A /\p ( jf; y) ArCtT/* y)=*^(r^( 7T ) ; 

V n R(r^(n); 

iT 

holds for every transition ''A,# 

at 1 A y) '=(^^(17^ /*fo<Cy) )J 

o ^ — — ^<J • 

Q2: Unreach (x) A OKat c^^gAb ENDFREE = x = i) p> □ Unreach (x). 

The mutator can only add edges to reachable nodes, hence 
it cannot affect this assertion. 
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The only action in which the collector adds an edge is 
at c^^/ and after this action (at c^g A LENDPREE = x = i) is trve, 
so that , .it is indeed true that 


^Unreach(x) /\Kat c-j^g /\^^NDFREE=x=i) Any atomic action -i 


V 


Unreach (x) 

V 

at c^^lendpreeV 


X =i 






Q3; at s ::ti[J(at c^ ( -^ Black (x) ) ) 

A P (at c -^2 ^ 0Gray (x) A (white (x)r::> Unreach (x) )J ) . 

This. is the fundamental safety property of the garbage 
collector* Three other invariants are required to prove it* 

(R3) at s Q (at -c (white (x) A Reach (x) 3 Gray -reachable (x), 

Dxiring the mark phage every reachable white node is 
gray- reach able- i.e* there is a directed path from a gray 
node, along white nodes, to every reachable white node. 


(G3) 




at s'loOCat ^Sq c^^'^C^gray node in mEo. .i-lj 3^ray node in 

mEi..N]]) 

During a scan of array m^for the mark phase, if there is a 

gray node in the already scanned nodes there mxist 

be a gray node among the nodes yet to be scanned, [i, ,NJ. 

A 


(B3) 


This assertion has been stren^hened, so that it can also 
be shown that any node added to the Free List is indeed 
unreachable (this is a desired collector safety property), 
at s -z)D(at 

V'x [, x(-r{o..i-l) 3 1 Black (x)J 
A Tx lExe I i..N) 3lGray(x) V Cx=iAat *=22^- 

/\’Y”x Ex € ! i..Nl A ’White (x)s> Unreach (x)V(x=i A at 



) . 

Hvoch ts, 
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In the collect phase, there are no black nodes in the 
already scanned nodes ri..!-!"], and there are no gray nodes in 
ri..Nj, and all white nodes in [i..Nj are unreachable, 

Q3 is easily seen to be true from the three assertions (R3), 
(G3), (B3) as follows: 

Frora(at c^z>±=¥i+l) and (B3), 0 (at c^ 'G if x[ xf {o**.n ]31 Black(x)] ) 

( 1 ) 

From (at ^ 12 ^ i=N+lj and (G3),][j (at node in m [o..Nj ) 

( 2 ) 

because 3 node in m [ N+1. ,NjJ(i jl' JTT Is 

obviously false, ! H gray node in m Cd,,N(]3V'^ Gray — 

Reachable (x) ) , i,e. if there are no gray nodes at all, no node 

can be gray- reach able. 

From this, and (R3), 

□ (at c, A :-3 V" X Cni White (x) V Unreach (x)] ) (3) 

12' 

Q3 is the conjunction of (1), (2) and (3). 

The three assertions (R3) , (B3), (G3) m\ast be considered 

separately, 

(R3) is true when control enters Mark phase, because ROOT, 

FREE have been grayed and all nodes are nonblack. Subsequently, 
while control is in Mark, (R3) can be falsified only by bbackenong 
a gray node which is a unique gray- source for some reachable, 
white node. However, when node i is blackened at c^^q, both 
its sons have been previously grayed at Cg^ Consequenrly , 

at the instant when the action at c^^q occurs either both its 
sons are non-white, or the mutator has just added a white son to 
node i but not yet grayed it . In the latter case, the new white son 
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must have been gray— reachable before the mutator action (note 
that mutator only affects reachable nodes), so it has another gray- 
source besides node i* In any case (R3) is preserved. 

(G3) is trivially true when control enters Mark phase, 
because a t q i e i eewi» > »a i »'' ''' teih 'e»'' «oriO ' e ' yient fi v Sxabsequently, it may 
be falsified by any action which 

(i) Grays a node in [l.,i-ll at a time when there are no 
other gray nodes in [^l.,i-lj 

(ii) Blackens a gray node in Li,,N]| or decreases i 

(iii) Increases i, that is the action at c^. 


If the mutator grays a white node in Cl..i-r], at a time 
when there are no other gray nodes in j3..*i-^ , then the gray- 
soxirce of this node must be present in [i,,Nj , ^ 

The action which blackens a node in ri,.N]i to O, thereby 

■^A 

making (G3) trivially true. 

The action at c^, which increments i, maintains {G3) because 
at C 3 A(G3) AlGray (i) at CgACGS)^^^^ 


That is, when control first reaches c^, (G3) holds with i 
replaodd by i+1. This can be seen from, 

at Cg A C'T^iray node in f 1 . ,i-^ V 3Gray node inji^.w] 3 

A 1 Gray (i) 

« at Cg A node in[l.iii-l| AlGray (i) 

V 3 Gray node in |^i. .nJ AlGray (i)^ 

= at C 5 

(*Note: The other gray source of the new white son cannot be node i, 
^ because node i^s second son is non— white) . 
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Hence ^ if the transition at leading to c, occurs, 

i 

must be true immediately before and after the transition. 
Subsequently, after the action at (G3) again holds by rule of 
assignment i.e. | i: = i+l f(G3)j-, 

(B3 ) is true when control enters c-, , c„_,c because i is 

set to 0 by the action at c^ 2 * (R3), (G3) it follows 

that ail nodes are non-gray and all white nodes are \inreachable, 
and control first reaches c^^^ through It must be shown 

that (B3) holds s\ibsequently . (B3) actually consists of 

three subassertions, 

(B3b) -- at * * *^23 ^ x t O, .i—l I F Black (x)^ 

The mutator cannot affect (B3b)» 

This is maintained subsequently because the only collector 
actions to affect it (in collect phase) are the increments of i 
at <^2.9* ^22* action at c^g is always preceded by a check at 

c^^ that node i is nonblack, and the action at C 22 always 
preceded by the whitening of node i, 

(B3w) - at Cj^2 • *^ 23*^0 ^ ^ ^ L x t: li« •N j Awhite(x)i:>^nreach(x) 

V(x=i^at C^8''=19''=223J1 

The mutator cannot affect (B3w). The collector actions 
affecting it (in collect phase) are those that change ±, and 
those that falsify Ciinreach (x) V Cx=iAat ^ 18 '^19 '^2 2 ^^* 
action at Cj^^ does falsify unreach (i) but makes 'at c^g* true 4 
The actions at c^g# 0^2 increment i and falsify * at ^ 

but incrementing i strengthens the antecedent of (B3w) so that 
the truth of (B3w) is maintained. 
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(B3g) at ^ 3 ^|Gray(x) 

V ( x=i A at J 

The only collector actions to affect (B3g) are the ones at 
Cig/ ^ 22 * both increment 1 and falsify at c^g/ ^ 22 “ ■^ain, 

an increment of i only strengthens the antecedent of (B3g), so 
that the assertion's truth is preserved. 

The only way the mutator can falsify .(B3g) is by graying a 
white# reachable node. However# from (B3w) it follows that a 
white reachable node x, can exist in i,,N only for (x=i A 'at 
^18'^19''^22' case Cx=i A at Cj^g*C 22 ^ occurs in the 

consequent of (B3g)/ so in this case (B3g) is not affected by 
the graying of the white node 1, The case (x=i A at <= 3 ^ 0 ) also 
cannot lead to violation of (B3g) because the mutator cannot access 
a node to the left of ENDFREE# and at c^g the only white 
reacdiable node in {i-.n}# the node i# is the left son of node 
ENDFREE . 

Q 4 :'V'y (^c(x,y):lGray(y)J AOunreach(x)T^D^(Anc(x#y) 3 IGray(y)) 

From the definition of the relation Ancestor, it follows th^ 
-All ancestors of x must be forever unreachable, if x is 
forever unreachable. 

No mutator action can affect an unreachable node, so the 

mutator cannot gray any ancestor of x. 

The collector only grays nodes by the actions at Cg, Cg in 
the Mark Phase, but this is only done after checlcing at Cg that 
the parent of these two nodes is gray. Since all the ancestors 
of X are nongray, there cannot be a node amcaig the ancestors of x 



90 


whose parent is gray . Hence , the collector under the given 
conditions # can never gray any ancestor of x» 

CSrify CAnc(x,y) ID White(y )JAOunreach(x)^l!f^!Anc(x,y) iDD^WhiteCy^ 

Q5 may be derived by considering all actions that may 
falsify it, as was done for Q4. 

However, its truth follows from Q4 and the assertion "A white 
node can only turn gray" , 

From Q4 and the antecedent of Q5 follows that the ancestors 
of X are forever nongray. Since, initially the ancestors of x 
are all white, and they never turn gray, they must be foirever 
white . 

*V~ y nAnc(x,y) IDWhite(y^ AE} Unreach (x) 

ID y |Anc(x,y ) 3lGray (y)J /AjDUnreach (x) 

IdDV’y E Anc(x,y)3 “J^^^^ytyO 

From, 



to conclude that pAnc(x,y ) 3 white (y^ , two assertions 

are required - 

the first is the one mentioned above i.e. 

White (x) ID^Tcray (x) dj White (x), for all x, 

the second is, 

Ounreach(x) J, for all x. 

The second assertion says that, if node x is forever unreach- 
able, and at any instant a node y becomes a non-ancestor of x, then 
y remains forever a non— ancestor of x. That is, no node can turn 
into the ancestor of a forever unreach^le node. 



3.1*2 Pgoof of Liveness Propert-ies 


To g)rove the liveness lemmas > the following invariant on 
the value of variable i is used, 

(Qi) at Si:ri( [at Cq. - i=N+ll A [at 


A [at C5/C^/Cg..c^^,c^^..c^g,C2^,c^2 
The following Induction Rule is used. 


o c±S n]). 


from 


Induction allows 1= ( 3k-i?(h)) , to be established 


jZf ( 0 ) no J?* and Vn:[j2f(n).o V (i2^(N-l )Vj2f)]. 


Lemma (bP 

at ^ 3 * * * * ^ j[_ ^ '■ — at ^ 2 

This is Shown by SP rule applied to path c^ ^^'^4 * •‘^11-^ — ^*^12 

Induction muft be used to show that control does leave 

( 1 ) |r at C 3 T:' V (at A i=o) by ESC rule. 

(2) f^-at A i=N+l ::t V at c ^2 rule. 

Now ind-uction is used to show 


at c*^ • • ^ V (at A i— N+1 ) • 

Let the 'bounding function* f be, 

f (i# Black) ^ (N+l ) r N— ^ Black J + | (N+1) — ij 

This is m tivated by the fact that each iteration of Mark 
Phase increments i by 1 or blackens exactly one node (-the 
node i ) • 

£ — 0 ^ i ~ N+1 ^ Black — N« 
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Basis ( 3 ) at A f =0 3 at ^ i=N+l using (Qi). 

( 4 ) F at A i=N+l V (at c4Ai=N+l) by ESC rule at c^r 

( 5 ) i: at C4Af=fQA i<N+l 3 ? (at c^A f=f^ A i<N+l) by ESC rule. 

(6) l=at C5 A f=±^ A i<N+l3 ^(|at c^M at Cg] A f=f^Ai<N+l) 

by ESC rule. 

(7 ) p at A f =f^ A i<N+l 3v(at A £=^0-1 < ^qA i 4 N+D 

by ESC rule • 

(8) J=at A iiN+l3V(at C4Af=f3_A i<N+l) by ESC rule. 


(9) t:at c:g,C3,CioAf=foAl^N+lpl7(at ' (N+l-D^lf, 

A i= 0 ) by SP rule to path . 

=8 A =9-^ =10“’ 'll- 

(10) 1 = at A f=£2Ai<N+l^V °4 ^ 1 <N+ 1 ) 

by ESC rule. 

(11) l: at Cg A i<N+l3V(at C4A f<f^Ai<N+l) 

Vy(at C4 A i=N+l) by ( 7 ) ,(8) and ( 4 ). 


( 12 ) 


I: at 


"o 


Af=f Ai(N+l3A7(^t 


C4 A. f f ^ 

by (9)» (10). 


( 13 ) f^at Cg/Cg,Cg,c^Q 


A f =£q A i< N+1 3 V ( at C4 A f o'^ ^ ^ ^ 

Vg(at C4 A i=N+l) by (11)/ (12)* 


( 14 ) |:at Cg/Cg/Cg/C 

( 15 ) \r- at C4/Cg/Cg 

( 16 ) l^atC4 -*Cg» 




Af=f A i < N+1 —Rat C4 A f < £ A i<N+l) 

10 o ■■ ^ 

\/V(at C4 A i=N+l) by (6)/ ( 13 ) . 

( at C4 i=Ntl ) by ( 5 ) / ( 14 ) . 
.CuAf=£oAi<N+l.:3V(at o^ A f <£„Ai<N+l) 

Vy^(at (10)# (15) • 
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( 17 ) !- at . *^11 i^N+l .J>v(at A ^ (f q i<N+l ) 

V v(at c^A i=N+l) by (8)., (16). 

(18) (at A i(^ N+ 1 ) f\ (at A i=M+l )^; 

V (at .A fAf^A i<N+l)\/(7(at i=N+l) by 
(4), (17). 

This , using (Qi)^ gives the required Induction Step 

(19) at c^-.c^^A f=f^ V(at c^A f < f^)'^9ia.t Ai=N+l) by (18) ^(Qi) 
Using Induction 

(20) jrat G4..c^^:j\7(at c^ A i=N+l) by Basis i,e.( (3), (4)} and (19) 

(21) A at C 3 ..c^^i:)y(at by (1), (2), (20). 

Lerrma (L2 ’^ : at c^2***»*^23 ^ ^ 

Assxame throughout j is some integer# O^j^N + 1, 

(1) 1: at A i = N+1 at c^ by ESC rule. 

Induction will be used to show 

(at c^ 3-.C23A V (at ±=j)z>Sl{at c^^A±~j 4 - 

N+1) 

Let the 'bounding fxonction' £ be defined by 

f(i) £ j“i 
f = 0 i=j. 

Basis (2) t [(at C 3 _ 3 ..C 23 A KjAn+I) V (at c^3#C2Q#C23Ai=j^N+ljAf=0 

ro (at c^3/ G 2 q#C 23 A 

(3) |rat c^ 3/C23 /•i=j^N+l ^y^at c^3Ai=j^N+l^ 

by ESC rule applied twice# to C 2 q and then to ^ 23 * 
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( 4 ) |=at i < j Af=fQ^V^t V at < j Af=£^J 

by ESC rule applied twice , to and then to 

( 5 ) t at c^ 3 ..C 3 _g /U<j Af=fQ^?(at c^q /U ^ j ^.£=£^-1 < f^) 

by SP rule applied to path ^ ^ 

( 6 ) i= at C 23 _/C 22^- ^23 ^ 


by SP rule applied to path ^21 *^22 — ^*^23* 

(7) tat C 20 ' C 23 A i Nj '"if =£2^1-’?(at c^ 2 Ai‘(jA£ =f^) 

by ESC rule applied twice, to C 2 q and then to <^ 23 * 

(8) at .C]_g Ai A j A£=fQ'C>jV(at c^^!\ ±<j /\ f(f^) ^ 

V (at C 3 _ 3 Ai=j)Jby (5), (7), (3). 

( 9 ) |;. at Cjj,. C2^i< jAf^=[V(at Cj^3A i<j A £ ^ *p V 
\7 (at Cj^ 3 Ad=j)Jby (6), (7), (3)- 

(10) I:: at c^3 A i A j A f <£^) V 

\7 (at c^3Ai =j)]by ( 8 ), ( 9 ). 

(11) )= at o ^ 2 *‘‘^ 19 '^ 21 '^ 22 ^' Cj_3 A 1 AjAf Af^) V 

VCat c ^3 A i=j)Jby (4), (10). 

(12) at C 13 ..C 23 A i < j A£=£^-[V(at 0^3 A i <j Af < £^) V 

Y(at c^3Ai=j)]by ( 7 ), ( 11 ). 

(13) 1= (at c^ 3 ..C 23 Ai(j Af=fQ)V(st ^i2'^20*^23^ 

V(at Ci 3 Ai-<jA£<fo)VV(at c^3Ai=:l) 

This is the required induction step. Hence by Induction 

( 14 ) Nat 033..C23Ai<J)V(at C33-C30.C33 Ai=j)^VCat c^jAl-j) 

for all j, o^j^N+l by (2), (3), (13). 

(15) t: (at C33..C23Ai^«)'/ C33,C30^23Ai=N-H)> . 

7 (at 033 A 1 =«+ 1 ) by i»N+l 
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(16) i^' at *^13 /\ i=N+l} by (15), using (Qi) 

(17) Mt t>y (1), (16). 

Main Liveness Proof 

r Unreach (x) - V (ENDPREE = x), for all x. 

i.e. every xinreachable node is eventually added to the free list. 

By the definition of unreach, x ^ ROOT A x FREE A x 0, 

Obviously, the distinguished nodes ROOT, FREE, 0 are never put in 
the free list. 

In the following, 

X € io,.N/ - |o, ROOT, free] 

(1) 1= Unreach (x) O^UUnReach(x) V V (at c^gA LENDFREE=x=i) 

by safety prop (Q2). 

(2) ^ at C]_g A i=xo>V/at c^g A (ENDFREE=x)'] by ESC rule. 

(3) 1= |j Unreach (x) 10 0 Unreach(x) A^' in Collector by safety prop (Ql)« 

(4) jr in collector = at ^2^^^ ^13**^23* 

(5) 1^- at c^g. .c^^lO V at c^ by liveness Lemma (L2) 

(6) ^ at y at Cg by SP rule to path o^— i-c^-^ Cg— >Cg 

(7) 1= at Cg..c^j^:7 V at c^^g liveness lemma (LI) 

(8) in collector 07 \/ at c^g ty (4), (5), (6), (7) 

(9) I? n Unreach (x ) p V at c^g A D Unreach (x) by (3), (8) 

(10) 1= at c^^gOr^A/y (IGray (y)) by safety prop (Q3) 

(11) ^ at C 2_2 Aty (UGray (y) )Dat c^gA^y [(Anc(x,y)o>lGray(y)), J 

for any node x. 

(12) p at C 3_2 a D Unreach(x)3 [ at C 3 _g A Q Unreach (x) A 

Yy (Anc(x,y)07lGray(y))] by (10), (11) 
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(13)^'Y y (Anc(x,y ) :::."lGray (y) ) A Dunreach (x)3 

Q Vj (Anc(x,y) -.'IGrayCy) ) the safety prop (Q4) 

Jnreach (x) Vy ( Anc (x,y ) a'" "TGray (y ) ) 


(14) 

at 

^12 


/\ at 

*^12 

(15) 

at 

Ci2 'L 

(16) 

at 

C3_2 "■ 

(17) 

at 

c 

o 

(18) 

at 

Ci2,r5 

(19) 

!=■ [at 

^=12 


[v (at Cq/' 


SJ (at c^Aify(-i Black (y)) by (16), (17) 

A D Unroach (x ) ADfy (Anc (x,y ) 'l(Gray (y )^~ 


1 Gray (y))]by (18) 

(20) [■' "V y (-iBlack (y) ) AO^y(Anc(x,y )p"lGray (y) ) ^ 

[yy (Anc (x,y) White (y)^by fv ^ white (y) V Gray (y )'/Black(y^ 

(21) [at c^Aty (IBlack (y) )/! D Unreach (x) Ani/y(Anc^x,y) 

^ "j Gray (y )^0^^ Unreach (x ) A ^y (Anc (x/y ) white (y 

by ( 20 ) 

{22)\-\}t Y ( Anc (x ,y ) :-' white (y ) ) A I'J Unreach (xji Dty ( Anc (x,y ) 
r" white (y)^^the safety Prop (Q3) 

]: £ (at c ) A [i unreach (x ) A "^y ( Anc (x,t ) white (y ) )] r: 


(23) 

(24) 

(25) 

(26) 


(at Cq n unreach (x) A C fyiAnc (x,y ) White (y ) )j by ( 22 ) 
[j'Vy(Anc(x,y) white (y ) )P>Dwhite (x) , tiy f^Anc(x,x) 

]: [at CqAD Ur^sach(x) AD^r (Anc (x,y) 2D white (y)^p:5 

[at Cq a D Unreach (x) A D white (x )] by (24) 
t at c 3 V ‘^13 ’^ Lemma (Li), (15) 
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(27) at 0 -^ 3 by step (14) in proof of 
Lemma (L2)/ which was derived by Induction. 

(28) at Cq d Unreach (x ) /Hi white (x) =>137 (at Cj^2-'\i=x) 
white (x) A LI unreach (x) 3 [by ( 26 ^ (27) 

(29) P at 0^2 i=x A D white (x) LL\7 (at c^y A ENDFREE=x) 
by SP rule applied to path c^^ — '^ 2 . 4 “' ^ 2.5 — ^ 

^19 white (x), ( 2 f =Ci=x). 

(30) P at CqA, UunreaGh(x) AlI White (x);—- r? (endfree=X) 
by (28)/ (29) and Temporal Logic. 

(31) b at Cq a i.l Unreach a ?y (Anc(x,y ) L? white(y) ) 7' V(ENDPREE=x) 
by (23) / (25)/ (30) 

(32) p. at C 22 A UUnreach (x) ' l.j Ty (Anc(X/y ) inGray (y) )":' '\7 {endfree=x) 
by (19)/ (21)/ (31) and Tenporal Logic. 

(33) P at A [■ Unreach (x) V (ENDPREE=oc) by (14)/ (32). 

*(34) L A] Unreach (x) g (ENDFREE=x) by (9)/ (33) and 

Temporal Logic. 

(35) F Unreach (x) H '7 (ENDFREE=x) by (1)/ (2)/ (34). 


The main liveness proof seems long (and tedious). The 
argument used is quite sirtple. 

Sometime after a node x becomes xinreachable/ control 
always reaches c ^2 bhe collector. At <^ 2 . 2 ' nodes are 
nongray and so all ancestors of x are also nongray. If x is 
assumed to be forever unreachable/ this ensures, by (Q4) that all 


Note: iji steps (30) 

V R A 


/ (32)/ (34) the Temporal Logic Theorem 
Dp u: 7 > V [p a D pJ / is used. 
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ancestors of x are from then onwards always nongray. 

Control always goes from c ^2 to and at all 
nodes are non-black. Thus . at c^/ all ancestors of x are 
forever nongray and also presently non-black. Hence at c^/ 
all ancestors of x are white. 

Again, since x is assumed forver unreachable, and all 
its ancestors are white, by (Q5), from this instant onwairds all 
ancestors of x are forever white. Hence, from this instant 

onwards x is forever white. 

Any' node which is forever white must be collected and 

put into the free-list by the collect- phase (when i=x) . 

Hence, x is eventually put into the free-list. 
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3,2 Alternating Bit Protocol 


The protocol iirplementation and the safety proof 
follows [.SUNJ , This is a simplex protocol to send a message^ 
m, from a sender station to a receiver station. Both sender 
and receiver maintain one-bit counters , called SSN, RSN respectively. 
The sender transmits a packet made of a sequence number field, 
which holds the present value of SSN, and a. message field. 

The receiver, on receipt of a packet whose sequence 
number field matches RSN, accepts the packet and flips RSN, It 
then delivers the message contained in the packet (to its host) 
and sends back an acknowledgement ( ack) , The ack is actually 
identical to the packet just received. The sender can proceed to 
the next message only after it gets the ack. Message packets, as 
well as acks, may be lost. Hence the sender ke^s retransmitting 
message packets, until it gets the ack. On receipt of the 
expected ack, the sender flips its own one-bit counter, SSN, 
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Sent sequence of all Received A Sequence of 

“ messages sent. all messages received. 

The distributed protocol system has been modelled as 
a system with central shared memory, by assuming the medium 
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(or channel) to be a queue of packets. 

The Sender to Receiver medium (StoR) and the Receiver 
to Sender medium (RtoS) are both queue-of -packets variables* 

Such a variable has the value Empty when the queue contains no 
packets. The operations on a queue-of -packets variable, q, are 
First(q), which returns the first element in the queue. Rest (q),. 
which returns the queue without the first element and q @ P, 
which cppends a packet p, to the rear end of the queue. 

Pending and Receiver-Buffer are packet variables at 
the sender and receiver , respectively. They are used to buffer 
outgoing and incoming messages, respectively, A packet is a 
composite object with a message field and a sequence number field. 
A packet value can be constructed by Makepacket (message, sequence 
number) • A packet variable has the value NIL when it holds no 
packet. The message field of a packet variable, p, is returned 
by the function Text (p) , and the function Seq (p) returns the 
sequence number field. 

In the Alternating Bit protocol, the sequence number is 
represented by a single bit, so it may only be O or 1. 

no = 1 and 1 = O . 

In the following program, each process is described by 
a do-od construct. Two points should be made about this 'parallel 
do-od • 

( i) If all the guards of a do-od construct are false, the 
process waits for some guard to become true 
— i,e, the do— od does not tejnninate. 
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( ii) Each guarded coinmand (i.e. guard and associated 
statement list) is an indivisible action* 

That is, no action from another process may be interleaved 
between the evaluation of the guard (to True) and the associated 
statement list. 

Program Alternating Bit Protocol; 

RtoS, StoR; queue-of-packets modelling the two mediums; 

Pending, Receiver-Buffer: Packet; 

SSN, RSN: Sender and Receiver sequence number counters— 
one bit; 

Sent, Received: queue of message, history variables, 

recording the sequence of all messages sent and received? 

Til: Message, a buffer at the sender, in which Host places 

message to be sent; 

Host Ready: Boolean, set True by host after placing 
'message in m; 

(* Initialize' Protocol*) 


Pending, Receiver 
RtoS, StoR 
Received, Sent 
RSN , SSN 
Host Ready 


= NIL, NIL, 

= Empty, Empty, 
= Empty, Empty, 
= 0 , 0 , 

= False 


Cobegin 

Lose'Ackji Lose -Packet }l Sender /I jlsender-B j| Receiver !l Host-Proc 


Coend 
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Process Lose-Ack ; 

do 

(* Lose first ack in queue RtoS*) 

Lose-Ack; /RtoS empty — ^'RtoS:= Rest (RtoS)) 
od 

Process Lose Packet ; 
do 

(* Lose first packet in queue StoR *) 

Lose-Packet: i(^StoR empty — ■} StoR: = Rest CStoR)/ 
od 

Process Sonder-A 
do 

(* Send a message^ placed in m, by the host *) 
Sender-Aj_; (Pending = NIL /\ Host-Ready — 

Pending; = Make Packet (m# SSN) y 
StoR ; = StoR @ Make Packet (m, SSN) y 

Sent : = sent @ m / 

(*Get the expected ack from receiver*) 

Sender'A2* /RtoS / empty ^ Pen ling ^ NIL/\seqC Firs t( RtoS) ) =SSN" ^ 
Host-Ready; = Fnlsey 
Pending ; = NILy 

SSN : =^SSNy 

= Rest ( RtoS) ^ 


RtoS 
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(* Get the ack for an old message- i.e. the last but one 
message sent— ignore it *) 

Sender -A^: ( RtoS ^ err^ty A Pending ^ NIL /\ Seq, (First( RtoS) ) = SSN-^ 

RtoS: = Rest (RtoS) A 

od 

Process Sender- B 
do 

(^Retransmit a message whose ack has not yet been 
received* ) 

Sender "B; ^^Pending NIL — > 

StoR: = StoR i> Pending /■ 
od 

Process Receiver 
do 

(* Receive the next message *) 

Receiver]^: <^StoR ^ empty A Receiver-Buf f er = NIL A. S®g(First (StoR)) 

_ ^ 

Receiver- Buffer; = First (StoR) 

RSN : = "iRSN^ 

StoR ; = Rest (StoR)^ 

C* Get an old message - i,e. one that has been already received 
and acknowledged - send a fresh ack for this message *) 

Receiver2S AStoR ^ eirpty ) = 

"IRSN 
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RtoS; = RtoS (i First (StoR), 
StoR: = Rest (StoR) )> 


(* Deliver the message in Receiver Buff er-by appending it to 
Received” and acknowledge *) 

Receiver^: Receiver- Buffer ^ NIL — 

Received: = Received @ Text C Receiver -Buffer) , 

RtoS ; = RtoS i> Receiver-Buff er , 

Receiver-Buffer: = NIL ')• 
od 

Process Host Proc 

(* Host Proc describes the behaviour of the sender host-it is 
not a part of the Alternating Bit protocol system, and its 
actions are not considered in the correctness proof - its 
d iscription may be taken to be a specification *) 

do 

(* The Host has no message to send *) 

Host-Ready — ^ Skip ,* 

(* The Host places a message in m, and sets Hostresady 
to trile *) 

^ost-Ready •> — > m: = message, 

Host-Ready: = True / 

(* The Host waits for sender to conplete transmission *) 
^Host-Ready — > Steip ) 


od 
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In this progror5i,each process (Host Proc is not 
considered further) has only a single deterministic control 
location. Hence, after every transition, each process remains 
in its unique control location.. If 1^ is the vector of initial 
control locations, then 

at 1 ZP n at 1 . 

O ' o 

This being the case, no location predicates are used 
in the derivations. The location predicates can easily be 
introduced, to make the derivations conform exactly to the f 
rules. 

Note that Sender has been split into two processes, so 
as to ensure that all locations are deterministic. 

Process Lose -Ack Process Lose Packet Process Sender-B 



Los6-Ack Los€-Packet Sender--B 


Process Sender-A 

Q. 


/ \ 


'J 

Sender- A 2 


Sender-A^^ 1 'i' Sender "A, 


Process Receiver 

(. I \ ' 

Receiver^ i \ Receiver^ 


Receiver.^ 


3.2.1 The Safety Properties 

The Alternating Bit protocol system is shown to be always 
Liveness arguments are subsequently used. 


in one of foujf states# 
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to show that, the protocol system does indeed cycle through 
the four states. The four states are Relaxed, Sending, Send 
Comp le te , Ack ing , 

The initial condition is described by 

Init ^ (Pending=Receiver- Buffer. = NIL 
A Receiver = Sent = Empty 
AXrsn = ssn = 0 A -- 

A Host Ready = False ) 

The required safety properties are 

(ll) Init r { (Relaxed \/ Sending Send Complete 

y Ack ing) , 

- the system is always in one of the four states. 

The states are such that, two of them cannot be true for the 
system together. 


(12) 

Relaxed 'T 

■ f SerKiJing Lj Relaxed 

(13) 

Sending j 

"i Send Complete Sending 

( 14) 

Send Complete.:.:-’: Ack ing i Send Complete 

(15) 

Ack ing "C 

"1 Relaxed fJ Ack ing 


- the above four assertions use the dyadic U operator 
and are of the form I .:.I> R Q 1/ i.e, if I ever becomes true, 
then it remains true "as long as" R remains true. Thus, each 
assertion says that if the protocol system is in a particular 
state, then it continues to remain in that state, until it goes 
to the unique successor state. 
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The succession of .states is given by 

Re 1 axed - -'} s end ing • Send - Comp le te - Ack i ng Re laxed , . , 

Deriving (II) 

Initial; ( II) is true initially because 
Init DO Relaxed. 

Inductive; If ( il) is initially in one of the four 
states and (12) to (15) hold, then (II) is obviously inductive. 

In order to derive (I2) to (15), which are of the form I ..o r Q I, 
it must be shown for all transitions , that, 

at 1 A c,(y) /', l( ?] ; y)AR(Tr; y) ':'Ji( r (n) ;f ( y) ) 

■\ ' ‘ 'A. ^ 

V 1 R( ) J 

(In terms of MP this would mean that I is R- invar i ant) , 

This verification condition is albreviated 

i I A R f ^ tl V 1 R J 

The assertions defining the four states are 

Relaxed ^ Pending = NIL A SSN=RSN A rleceiver-Buff er=NIL 
A Sent=Received A StoR€ £Cm’ ,~1SSN)* 3" 

/\RtoS e {(m', -iSSN)*} 

sending A P8ndingr(m,SSN) A SSN=RSN A Receiver -Buff er=NIL 

A Sent=Received m A S toR^ ■£( m‘ , i SSN) ^,(m,SSN)’^+( m,SSN) J" 
A RtoS € { ( ro ' , ""i SSN ) 1 
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Send Complete A Pending =(m,SSN) A, ssn=1rsn A Receiver-Buffer 

=( m,SSN) 

/'■'..Sent = Received @ m^^StoRe{(m, SSN)*} 

/\RtoS € ^ (m' , SSN)* J 

Acking — Pending = (m^SSN) A SSN= i rsn > \ Receiver-Buff er=NIL 
/\Sent = Received /\ stoR C: {.(m,SSN)*} 

A;RtoS e J (m* , 1 SSN)"^. (m,SSN)'^ + (m,SSN)*} 

In the above assertions, m' oenotes an old message, i«e, a message 
for which sender has already got the ack. The StoR and RtoS 
mediums are described by means of regular expressions. Thus 
.|^(m , [SSN) ,(m,SSN) 4 - ( m,SSN) ^ is the set of all sequences of 
packets, which have either ( i) a nonzero number of (mAfSSN) -packets 
followed by a nonzero number of (m, SSN) -packets, or, ( ii) an 
arbitrary number of (m, SSN) -packets. 

Deriving ( 12) 

l/iR A Relaxed .A 1 sending = Relaxed 
iV'jR A Relaxed V Sending. 

2 Relaxed /\ RtoS / Empty j' LoseAck tj^elaxedj 
I Relaxed /\ StoR Empty) LosePacket {Relaxed., 

Relaxed A Host -Ready'' SenderA^ {Sending) 

) Relaxed A StoR/Smpty)' Receiver, Relaxed) 

The other transitions are not enabled and cannot occur. 

Relaxed :A» "f Sending LJ Relaxed. 

(13), (14), (15) can be derived similarly by considering all 


transitions 
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From (I2) to (15) and Init Relaxed, follows 

( II) Init — -■ [_ *< (Relaxed \l Sending \J Send-Corrplete V Acking) , 

These five assertions can t>e used to derive other 
required safety properties. 

For e 5 <ample- 

If there are no outstanding messages (i.e. transmitted messages 
for which an ack has not bean received), then the sequence of 
messages sent is identical to the sequence of messages received. 
From (II) and (sending SendComplete V Acking Pending ^ NIL)^^ 
it follows that the above property can be expressed as 
Relaxed I."".' Sent = Received . 

This is indeed true, 

3,2,2 The Liveness Properties ; 

The Liveness Properties are such as to ensure that 
the Alternating Bit protocol system does indeed cycle through 
the four states. 

They are 

(Ll) Relaxed A Host Ready V Sending. 

(L2) Sanding ::v- y Send Complete, 

( L 3 ) S end - comp le te ..a v Ack ing . 

(L4) Acking \/ Relaxed, 

Each liveness property depends on the occurrence of 
one particular transition. Thus (Ll) depends on SenderA^# 

(L2) depends on Receiverj_, (L3) depends on ReGeiver 3 and ( L4) 

depaids on SenderA2* 
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Properties (LI) and (L3) are derived by a single 
application of the ESC rule for each property. 

For (L2) and (L4)/ derivation is more complex. 

Let an oldpacket (oldack) be defined as a packet ( ack) 
with sequence number — ^SSN, 

The medium StoR must be cleared of oldpackets before 
transition Receiver^ can occur. Similarly, medium RtoS must be 
cleared of oldacks before transition SanderA 2 can occur. 

The clearing of oldpackets /oldacks still does not 
guarantee that the required transitions must occur, because of the 
actions of Losepacket/LoseAck. 

This motivates the following constraint on the 
troiismission mediums. The constraint may be regarded as a 
restriction on the behaviour of Lose Packet/Lose Ack 

Medium Constraint: Dv( a, packet/ ack caVDC The medium StoR/RtoS 

is trcns- is not Empty) 

mitted) 

-if an unbounded number of packets/acks is transmitted* 
then eventually the queue of packets/acks remains forever nonempty 

Note: The constraint may be expressed formally as, 

r~~| y at (Transmit) \/ L-1 Medium 7 ^ Enpty, 

where 'Transmit' is a dummy location introduced by concatenating 
a^Null' transition to the ‘send a packet' transition. 
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is changed to 


c^“-j[Send,'' True -*rskip’’| 

--h N 

-7 t, 

♦ 

' Transmit ' 
location 


The constraint given is a weak constraint. It may be 
interpreted as - If an unbounded number of packets is transmitted, 
then some packet must be received. Thus, there is no requirement 
that the number of packets lost is bounded. 

In the liveness derivations, the requirement B of the 
ESC rule is adapted, by dropping the antecedent term 


/ fiCTSk DBA 

/... ( r^ /■ fj_(y))« Recall that requirement B of ESC rule is, 
at \ ^ y)A'l.( ; f j_(y)):"j. *|'C r^('f) ;£^(y)) 


“ any of the i=l...,,k, transitions from location L, 

that preserves "/--•and is initiated with ^ true, achieves ^ . This 
adaptation is justified, because anything irrplied by the weaker 
antecedent Ci.e. the antecedent with the last term dropped) 
is also implied by the stronger antecedent (i,e. the original 
antecedent) . 


Derivation of Ll. 1= (Relaxed A Host-Ready) A D ^Sending ^Sending. 

The BSC rule is applied to the SenderA- location. 

The requirements are 

A; ( Relaxed A Ho St ""Ready) is Sending-invariant, 

For every transition ^ , 

Relaxed /\ Host-Ready | ^ (Relaxed /V Host— Ready) 

V Sending} 
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“■ follows from derivation of (12). 

B: For the transition SenderA^ as ■<. , 

Pending=NIL A (Relaxed A Host-Ready) Al Sending ;o|sending 

L.. 

(r^(Y); yy))J 

The irrplication is indeed true 

C: (Relaxed .A Host-Ready) .ir- (Pending=NIL Ax Host -Ready) 

also holds. 

Relaxed /\ Host Ready Av DlSending Sending (by ESC) 
which is equivalent to 

( Ll) r Relaxed A, Host Ready V Sending, 

Derivation of (L3) 

[r send Complete AUlAcking V Acking 

The ESC rule is applied to the Receiver-Location, 
The requirements are 

A: Send Complete is -j Acking- invariant. 

Follows from (14) 

B; For the transition '< = Receiver 

Send"complete /\ ReceiverBuf fer / NIL 'jAcking 3 [^Acking 

(rjjf); f^(y))Jtolds. 

C: SendComplete C-' ReceiverBuff er NIL, also holds. 

Hence, by ESC rule 

jz send-CompleteAOTAckingT> y Acking • 
which is equivalent bo 

SendComplete Acking. 
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The argument used to derive (L2) is as follows. 

Eventually StoR is cleared of oldpackets. After that, a 
packet is transmitted into StoR an unbounded number of times 
by SenaerB/ hence (by constraint) eventually StoR remains nonenpty, 
When this is the case, transition receiver^^ is enabled and 
must occur (by BSG rule) - thus making (L2) true. 

The argument for (L4) is similar. Firstly RtoS is cleared 
of oldacks. 

Now consider the Sender-Receiver medium, StoR. Sender-B 
transmits an unbounded number of messages into StoR, so that 
eventually StoR remains nonempty. Hence, transition Receivero 
is enabled and must occur. The above reasoning holds as long 
as Acking is true -so that transition Receiver 2 occurs an 
unbounded number of times. 

Considering medium RtoS again, (which has no oldacks), 
it must eventually remain nonempty (by constraint), because 
each transition Receiver 2 puts a new ack into RtoS, 

If RtoS is nonenpty and has no oldacks, transition 
SenderA 2 must occur - showing (L4) to be true. 

Let /^old-packets return the number of oldpackets in the medium 
StoR, that is 

/jl. oldpackets (StoR) = The number of packets in StoR with 

sequence number 1 SSN. 

Oldpackets is an abbreviation for # oldpackets (StoR) . 

Similarly ^ Oldacks (RtpS) returns the ntsmber of Oldacks in the 
medium RtoS, 
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Two additional properties are of use 

(Lp) Q Sending v'D( Sending A ^ Old Packets =o). 

(La) Ll Acking 7 ijC A cking /\ ^ old acks=0). 

These properties can be derived under the assurrptions 
(s) Sending ::o- 1 ni ( 7f'01dpackets = n) . 

(A) Acking r-' rlni (#Oldacks - n) . 

That is/ the number of oldpackets in Sending state is 
always finite, aid the number of oldacks in Acking state is 
always finite. 

Property ( Lp) will be derived - the derivation for (La) is exactly 
similar. 

First, using induction on the number of oldpackets, it is shown 
that 

j,- Sending t; (Sending A Oldpackets =0), 

Next, it can easily be derived that 

|■-.^Oldpackets= O /\ D Sending 'p L-i ( #' 0ldpackets=0) 
i*e. ( Aoi<3packets=0) is Sending-invariant. 

From the above two steps, (Lp) follows. 

Inductions 

( Basis) A ( sending A 01dpackets=o)o (sending /\ #" OldpacketsoJ 
obvious. 

( Induction Step) 

I' (Sending /\#01dpackets=n+l) s- \] (Sending A#01dpackets=qa) 

This is derived by applying the ESC rule to the 
Receiver-location, and seeing that transition Receiver 2 does i^ciir 

so that 
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{=( Sending /\. tr’Oldpack:ets=n+l)/ /\ Lj Sending Vifoidpackets 

'ry (Sending /\ Oldpackets = n) , 

The requirements are, 

A: ( Sending A ^Oldpackets=n+l) is (iSending \/ i|^0ldpackets;^n) - 


invariant. 


Th^t is, for every transition 'X , 


(sending /'■ (f'- Oldpackets=n+lt < j Sending A A*fOidpackets=n V 

^ 0 Idpacke ts=n+l) j‘ 

From the derivation of ( 12) , there are six transitions 
enabled with Sending true-LoseAck, LosePacket, SenderA^/ Senders, 
Recoiver^^ Receiver 2 * 

Los€'Ack^ Sender do not affect StoR medium# Receiver 
is not enabled with #Oldpacksts O, For the other three 
transitions, 

^sending /\ Oldpackets=n+l j Losepacket -^Sending /\-^Oldpackets=n|- , 

[sanding A #-Oldpackets=n+l} Senders [sending /\ #Oldpackets=n+l}. 

Is ending/- # Oldpackets=n+lj RGceiver 2 l Sending A#Oldpackets=n}. 

Hence requirement A holds, 

B: For transition ■:£. = Receiver 2 f 

(sendingA-ffoldpacKets =n+l) AstoR BiptyA-K Sending A#01dpaolcets=n)= 
[sending ( (fj) ; y) ‘ ‘ = "J ' 

this implication holds. 
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Ci (Sending A /^Oldpeclcets=n+l) StoR En^ty 
Hence by ESC rule, 

p (Sending /\ Oldpackets =n+l) A Ll (~? Sending V^Oldpackets^n)iz> 

V ( Sending A ffoldpackets=n) 

This is equivalent to 

(sending /\ ^f'Oldpackets =n+l)z!>’^( SendingA^Oldpackets=n) / 
the required induction step. 

By induction, 

( sendingA 3 n;-^Oldpackets=n) ro ^ ( SendingA4!^ldpackets=0) , 

Hence, by assunption ( s) , 

ip Sending V (Sending A 0ldpackets=0) . 

(■^ Oldpackets=0) is sendings invariant, can be seen by 
a derivation similar to that of (12), That is, for all transitions 

^sending A ?^Oldpackets=o} {i Sending V ^Oldpackets=o}j 
does indeed hold. 

From this follows 

(Lp) j= □ Sending y Q (SendingA ^ 0 ldpackets«O) , 
Derivation of ( L2) : 

( 1) ^ Sending c:? P Sending W Send Conplete ,• *». from (13) 

( 2) (" P Sending — ^ y I i (Sending /) ■^01dpackets=0) ,,, Property (Ip) 

(3) 1= 0 Sending Q (Peniing^^NIL) . . ,from ( Sending o Pend ings 

( m^SSN) ) 
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(4) 1^ □Cpendingjir^NIL) .:::> \7 (Sender-B occurs) ... ,by ESC rule applied 

to Sendei^ B location. 

(5) !-n Sending V (Sender-B occurs) .... by (3 ), (4) 

• (6) !-"iJ Sending G ?( Sender-B occurs) . i,. by (5), Tenporal 

Logic reasoning 

(7) N-;v?CSender B occurs) “^LKstoR^^En^ty) .... by Constraint on 

StoR 

(8) hp Sending V Li (StoR / Enpty) .....by (6)# (7) 

(9) i- f"! Sending yOCstoR / Empty) /\ yQ ( Sending A i^old- 

packets=0) ...by ( 2) ,i 8) 

(10) i-p sending ::j\) Q ( Sending /\ StoR / Eitpty /wold-packets 

.....by (9), Tert^ral 
Logic Theorem 

(11) Sending A StoR / EiTptyA^Oldpackets=0).-c? StoR £ t(m,SSN)‘^] 

.... .by Sending 

( 12) I- Clsending _•? y !J( StoR € { ( m^SSlsD'^'J'} . .. , .by ( 10,( 11) 

( l3>l=-L]sendingL’7| D (StoR t 1( m,SSN)‘‘'j)A Sending j 

....by (12), Tenporal 
Logic Theorem 

(14)1^- Sending A D ( StoR 6 [( in,SSN)'*'j ) 3. y SendComplete 

....by ESC rule applied 
to Receiver-Location 

( 15),!' 0 Sending y V SendConplete ....by (13), (14) 

(L2) (16) \- sending V SendConplete ....by ( 1) , ( 15) 

Proceedings in a similar manner, (L4) may also be derivedi 

(L4) P Acking Relaxed. 



CONCLUSION 


Coir^airing th© iin6tho<is fot dsriving safety and liveness 
px'opsxties/ we feel that [^LAM3J is the best method foir safety 
properties/ and [oLj is the best method for liveness properties. 

The following reasons can be given for the superiority 
of [lamsJ over [MPj and Iog], 

( i) It is an axiomatic method/ and not based on any operational 
model, 

( ii) It can be used to examine programs with nested cobegins- 
unlike [ Mpj , wherein programs have a fixed number of 
processes, 

( iii) The indivisible actions can be at any level - unlike [og| , 

{ MPj / wherein indivisible actions are fixed at the 
assignment statement/expression level, 

( iv) Ejp>licit use of location predicates - in TogJ 
Auxiliary Variables must be introduced, 

( v) The semantics of processes is given by process- invariants 
and not input-output behaviour as in fOGj, The fLAMSl 
formula fPjz for process within a cobegin 

statement cobegin fj S 2 11 coend, expresses a 

process- invariant P maintained throughout S^, The 
corresponding LOgJ formula is an input- 

output assertion. The disadvantage of {^OgJ is that, if 
is replaced by an 'equivalent' process in addition 
to deriving [P^} S| J / it must be shown that [pj JqJ- 
is interference-free from each of the other proof-outlines 

derived. 


i] ^i iQi^ 2^ i4n. For only JP} S£|P}must be 
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Among the methods for deriving liveness properties/ 

{]olJ and I LAMy we feel that (olJ is superior to the other 
methods because 

( i) It is an axiomatic method. The other two methods 
asa operational models, 

( ii) It can examine programs with nested cobegins-unlike 
the other two methods, 

( iii) It is tertporal logic based-hence the formalism and 
theorems of tenporal logic are ready to hand, 

( iv) Proofs are derived using proof -lattices-this 

facilitates high-level, informal reasoning without 

sacrificing rigour, 

a 

We feel that^fully formal st^-by-step proof, of even 
small programs, is incoirprehensible. The effort spent in 
developing such a pioof is not worth the resulting gain in 
understanding of the program. Informal reasoning and semi- 
formal methods must play a large part, if program proofs are 
to remain manageable. 

Most properties of interest of concurrent programs follow 
from a few safety invariants and 'bounding functions' for 
termination. These safety invariants and bounding functions 
must be discovered by examining the program. Subsequently, 
they can be justified informally or derived by semi-formal checking 
of relevant indivisible actions. After this, the derivation of 
further properties of interest, becomes a simple matter. 

The above approach is analogous to deriving the loop- 
invariants only for a sequential program-nbt the st ^-by-step 
Ho are. -iogio .■ 'pr^ooi',. . . , 
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Some suggested directions for further work are 

( i) Extension of Temporal Logic based methods to derive 

safety properties not expressible by monadic D / (eg. 
First Come First Served has the form pro r O q) , 

( ii) Extension of formal methods of treating concurrent 

programs to handle local variables of processes. That 
is, specify the semantics of declarations within a 
block. 
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